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Preface 


Asiacrypt, the annual conference of cryptology sponsored by IACR is now 11 
years old. Asiacrypt 2005 was held during December 4-8, 2005, at Hotel Taj 
Coromandel, Chennai, India. This conference was organized by the International 
Association for Cryptologic Research (IACR) in cooperation with the Indian 
Institute of Technology (HT), Chennai. 

This year a total of 237 papers were submitted to Asiacrypt 2005. The submis- 
sions covered all areas of cryptographic research representing the current state of 
work in the crypto community worldwide. Each paper was blind reviewed by at 
least three members of the Program Committee and papers co-authored by the 
PC members were reviewed by at least six members. This first phase of review 
by the PC members was followed by a detailed discussion on the papers. At the 
end of the reviewing process 37 papers were accepted and were presented at the 
conference. The proceedings contain the revised versions of the accepted papers. 
In addition we were fortunate to have Prof. Andrew Yao and Prof. Bart Preneel 
as invited speakers. 

Based on a discussion and subsequent voting among the PC members, the 
Best Paper Award for this year’s Asiacrypt was conferred to Pascal Paillier and 
Damien Vergnaud for the paper entitled “Discrete-Log-Based Signatures May 
Not Be Equivalent to Discrete Log.” 

I would like to thank the following people. First, the General Chair, Prof. 
Pandu Rangan. Next, Springer for publishing the proceedings in the Lecture 
Notes in Computer Science series. I would also like to thank the submitting 
authors, the Program Committee members, the external reviewers, and the local 
Organizing Committee consisting of Mr. Veeraraghavan and Mr. E. Boopal. I 
acknowledge the partial financial support provided by Microsoft Research Labs, 
India. I thank Dr. Debrup Chakraborty for his help in managing the submissions 
and the final preparation of the proceedings. Thanks also goes to Mr. Sanjit 
Chatterjee for his assistance in the process. 


December 2005 


Bimal Roy 
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Abstract. We provide evidence that the unforgeability of several dis- 
crete-log based signatures like Schnorr signatures cannot be equivalent 
to the discrete log problem in the standard model. This contradicts in 
nature well-known proofs standing in weakened proof methodologies, in 
particular proofs employing various formulations of the Forking Lemma 
in the random oracle Model. Our impossibility proofs apply to many 
discrete-log-based signatures like ElGamal signatures and their exten- 
sions, DSA, ECDSA and KCDSA as well as standard generalizations 
of these, and even RSA-based signatures like GQ. We stress that our 
work sheds more light on the provable (in)security of popular signature 
schemes but does not explicitly lead to actual attacks on these. 

1 Introduction 

It is striking to observe that after more that two decades of active research 
on the matter, the standard-model security of discrete-log based signatures like 
Schnorr, ElGamal or DSA remains mysteriously unknown. Although dedicated 
proof techniques do exist in weakened models (e.g. the random oracle model 
(ROM) [19,4,8] or the generic group model (GGM) [7]), none of them provides 
intuition about the actual security of discrete-log signatures. Even though they 
have withstood concerted cryptanalytic effort fairly well, we suspect that the 
real-life security of many of these signature schemes is actually weaker than 
expected. We provide evidence that most discrete-log-based signatures defined 
over some prime-order group G cannot be equivalent to extracting discrete logs 
over G in the standard model. Our results are partial in the sense that we 
disprove equivalence via algebraic reductions. In brief, algebraic reductions can 
only apply group operations on group elements. This restriction is not overly 
restrictive as we do not know any example of a cryptographic reduction which is 
not algebraic. Our results suggest that most discrete-log based signature schemes 
just cannot reach a maximal security level i.e. equivalence towards their primitive 
problem, or that if some of them do, it is through non-algebraic reductions 
exploiting intricate and subtle relations within the group G. 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 1-20, 2005. 

© International Association for Cryptologic Research 2005 
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Most interestingly, our work highlights a possible separation between the 
standard model and the random oracle model in which it is well-known that 
forging Schnorr signatures (for instance) is equivalent to extracting discrete logs. 
An interpretation is that random-oracle-based proofs leave unfair advantage to 
security reductions by probing and modifying the adversary’s internal computa- 
tions and thereby letting the random oracle play a crucial role that cannot be 
justified in real life. Previous works have observed similar separations in specific 
contexts [2,18]. 

The Fiat-Shamir paradigm of transforming identification schemes into digital 
signature schemes [13] is popular because it yields efficient protocols. However 
all known results for the security of Fiat-Shamir-transformed signature schemes 
like Schnorr take place in the ROM 1 . Even worse, they impose the loss of a factor 
nearly q H (the number of queries the forger makes to the random oracle) in either 
execution time or success probability of reductions that convert a forger into an 
algorithm that extracts discrete logarithms. While no proof exists that the loss of 
this factor is necessary, the problem seems inherent to the way signature schemes 
are constructed from identification protocols. 

We prove in this paper that any random-oracle-based reduction from com- 
puting discrete logarithms to forging Schnorr signatures must lose a factor at 
least y/qH- This shows that a proof of equivalence in the ROM, if algebraic, will 
never be tight. We believe our work gives a new perspective as to why no efficient 
proof of equivalence to the discrete log problem has ever been found for Schnorr 
signatures despite considerable research efforts. 

We emphasize that although our work disproves that Schnorr, ElGamal, 
DSA, GQ, etc. are maximally secure, no actual attack or weakness of either 
of these signature schemes arises from our impossibility results. Nothing stated 
here refutes that forging signatures is likely to be intractable in practice. 


1.1 Our Contributions 

Our results are manyfold. Introducing a simple way to simulate forgeries, we are 
able to relate security properties of many signature schemes (Schnorr, (Meta) 
ElGamal, DSA 2 , ECDSA, KCDSA, GQ) to one-more computational problems, 
in a positive or negative sense. In the positive sense, we prove the unbreaka- 
bility of these signatures (meaning that the signing key cannot be recovered) 
under chosen-message attacks, thereby identifying security properties that have 
remained unknown for these schemes. 

Starting from the same simulation technique, we show that no algebraic re- 
duction can exist that would relate the unforgeability (under any kind of attacks) 
of these signatures to their primitive problem. This result is extendable to the 

1 It is known that the Fiat-Shamir transform provides a separation between the ROM 
and the standard model, see [14]. 

2 Note that this work constitutes the first proper security analysis of DSA and ECDSA 
in the standard model. Previous to this work the only known security result on DSA 
schemes was that of Brown on ECDSA which assumed a generic group [7] . 
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one-more setting, meaning that there cannot exist a similar reduction to a weak- 
ened, one-more version of the primitive problem. Our impossibility proofs rely 
on the construction of an efficient meta-reduction relating such a reduction to 
the one- more problem itself. Thus, under the assumption that this problem is in- 
tractable, the fact that a polynomial meta-reduction exists forbids the existence 
of algebraic reductions. We note that our meta-reductions are perfect meaning 
that they preserve success probabilities perfectly. This emphasizes the strength 
of our impossibility results. 


1.2 Roadmap 

We start by providing definitional facts about discrete-log-based signature sche- 
mes, security notions for signatures, the discrete log and one-more discrete log as- 
sumptions over a group G, reductionist security proofs and algebraic reductions. 
Section 3 proves that Schnorr signatures are unbreakable under a chosen-message 
attack. Section 4 then proves that if the one-more discrete log assumption holds, 
then Schnorr signatures cannot be proven equivalent to the discrete log prob- 
lem and Section 5 further extends this impossibility to the one-more discrete log 
problem. Section 6 then applies our proof technique to other signatures schemes, 
slightly adapting the proof to the underlying computational problem when nec- 
essary. Lastly, Section 7 explores the case of random-oracle-based reductions and 
shows that any reduction of that type, if algebraic, must loose a factor close to 
y/qH- We conclude with a series of open questions in Section 8. 

2 Preliminaries 

2.1 Schnorr Signatures 

Schnorr’s identification protocol was introduced in the late eighties [21,20] as a 
means to prove knowledge of the discrete logarithm of a publicly known group 
element. Let G = (g) be a group of prime order q and P and V denote a prover 
and a verifier. By engaging in the protocol, P proves to V that he knows the 
discrete log x of a public group element y = g x . The protocol has three simple 
moves. (Commitment) P selects a random k <— Z q , computes r = g k and sends 
r to V. (Challenge) V picks a random c <— Z q and sends c to P. (Response) P 
computes and sends s = k + cx mod q to V. Lastly, V verifies that g s ■ y~ c = r 
and recognizes that P knows x if the equality holds. 

Schnorr signatures derive from Schnorr’s identification protocol by applying 
the Fiat-Shamir transform [13] with respect to a hash function H : (0, 1}* i— > Z g . 
The Fiat-Shamir-transformed protocol is changed into a signature scheme by 
making it non-interactive. In this respect, the signer acts like P and simulates a 
verifier V by computing the challenge c himself as c = H (to, r). For concreteness, 
we detail Schnorr’s signature scheme E H as a tuple of probabilistic algorithms 
Eh = (Gen, Sign, Ver) defined as follows. 
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Key Generation. Gen selects a random x 4 - Z q . The secret key is x while 
the public key is y = g x e G. 

Signing Procedure. Given a message m e {0, 1}*, Sign (to) picks a random 
k 4 - Z q , computes r = g k , c = H ( m,r ) and s = k + cx mod q. The output 
signature is (s, c). 

Verification Procedure. Ver(to, (s,c)) returns 1 if H (m,g s yt$) = c and 0 
otherwise. 

Schnorr signatures constitute one of the most important ingredients in the 
design of cryptographic protocols, cryptosystems and proofs of knowledge. 


2.2 Security Notions 

Security notions for signature schemes are defined with respect to several types 
of adversaries or equivalently, as the conjunction of an adversarial goal and 
an attack scenario. An adversary is modeled as a probabilistic Turing machine 
attempting to fulfill the goal while given access to certain resources when inter- 
acting with the signature scheme. 

Adversarial Goals. We make use of three separate goals in this paper al- 
though others may also be of interest (e.g. signature malleability [19]). We say 
that a signature scheme is breakable (BK) when an adversary extracts the se- 
cret key matching a prescribed public key. The scheme is said to be universally 
forgeable (UF) when there exists an adversary A that returns a valid signature 
on a message given as input to A. The notion of existential forgeability (EF) is 
similar but allows the adversary to choose freely the value of the signed message. 
Attack Models. We consider two attack scenarios in this paper. In a key-only 
attack (KOA), the adversary is given nothing else than a public key as input 3 . 
In a chosen-message attack (CMA), the adversary is given adaptive access to 
signatures on messages of his choice while attempting to achieve his goal. 

Security notions are obtained by coupling an adversarial goal with an attack 
model. We distinguish between several notions of reference for which general 
results are immediate, as shown on Figure 1. We refer the reader to the extensive 
cryptographic literature for a more formal definition of these security notions. 


2.3 Discrete Logarithm Problems 

DL. Solving the discrete log problem DL[g,r] in a group G = (g) of prime or- 
der q consists in computing k € Z q given r = g k 6 G. Because of its random 
self-reducibility [19], the hardness of the discrete log problem is essentially in- 
dependent from the choice of its inputs (g, r) and rather depends on the inner 
structure of the group G itself. We denote DL the problem of computing discrete 

3 The term no-message attacks is also frequently used to designate such attacks. 
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Existential forgeries 

EF-KOA [5] 

=> EF-CMA [5] 


# 

$ 

Universal forgeries 

UF-KOA [5] 

=> UF-CMA [5] 


f 

* 

Breakability 

BK-KOA [5] 

=> BK-CMA [S] 

Goal vs. Attack 

Key only 

Chosen message 


Fig. 1. Major security notions for signature schemes. S denotes an arbitrary signa- 
ture scheme and Pi 4= P 2 means that Pi is polynomially reducible to P-i- Security 
notions are defined by their underlying problem e.g. UF-KOA [S] denotes the problem 
of computing a universal forgery under a key-only attack. 

logs over G = (g) with respect to a fixed base g. A probabilistic algorithm A 
that (e, r)-solves DL is such that 

P hAz g W? = k \ > £ 

where the probability is taken over the random tape of A and A stops after time 
at most r. The (e, r)-discrete-log assumption tells that DL cannot be (e, r)- 
solved over G. The (asymptotic) discrete log assumption tells that if DL can be 
(£,r)-solved for r = poly (log q) then £ is negligible before 1 /poly (log q). 

The One-More DL. The computational problem n- D L is defined as a natural 
extension of DL. A probabilistic algorithm A solving n-DL is given n + 1 group 
elements j*o, Ti , . . . , r n as well as a limited access to a discrete log oracle DLom- A 
is allowed to access DLom at most n times, thus obtaining the discrete logarithm 
of n group elements of his choice with respect to a fixed base g. A must eventually 
output the n + 1 discrete logs ko = dl fl ( 7 * 0 ) , . . . ,k n = d\ g ( r „ ). An algorithm A 
is said to (£,r)-solve n-DL when 

I\, kJ .^ q [A DLom (g ko , . . . ,g k ") = (k 0 , . . . , k n )\ > £ 

where the probability is taken over the random tape of A, A stops after time at 
most r and A calls DLom at most n times. The one- more discrete log assumption 
tells that no probabilistic algorithm can solve n-DL with non-negligible success 
probability over G for any integer n > 1. It is easily seen that DL is contained 
as the special case DL = 0-DL and that ni-DL 4 = n 2 -DL whenever m > n 2 . 


2.4 Reduction-Based Security Proofs 

Reductions. Cryptographers use reductionist proofs to convince others that 
their schemes are computationally secure. An algorithm 1Z is said to reduce a 
problem Pi to a problem P 2 , which we then denote by Pi 4=-r P 2 , if 1Z solves Pi 
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with the help of an algorithm solving P2. Algorithm 1Z is then called a reduction 
from Pi to P2. We write Pi <= P2 when there exists a polynomial time reduction 
from Pi to P2 , and Pi = P2 when one has simultaneously Pi <= P2 and <f= P\ . 
Algebraic Algorithms. Our method of converting a reduction IZ such that 
DL <=n UF-KOA [Eh] into an algorithm solving the one- more discrete log prob- 
lem applies whenever IZ belongs to a certain “natural” class of reductions. We 
refer to these as algebraic reductions. 

In brief, a reduction algorithm IZ is algebraic with respect to a group G if P 
is limited to perform group operations on group elements. Adding 1 <j to g e G is 
thus not permitted, even if this operation is well-defined and meaningful (if G is 
the multiplicative subgroup of a ring, for instance). IZ is free to apply arbitrary 
operations on other data types, but when it comes to elements of G, the only 
available operations are among the (redundant) limited set 


S= {(51,52) i->5i = 52,(51,52) i->5i -52, (51, A) i->5i,5i ^5i *} • 

For instance a reduction placed into the generic group model (GGM) or more 
precisely in the non-programmable GGM is an algebraic reduction 4 . However, 
the class of algebraic reductions encompasses much more algorithms and in par- 
ticular may be relevant on groups where there do exist algorithms exploiting the 
encoding of elements. This class of reductions is not overly restrictive (in fact, we 
do not know any example of a cryptographic reduction which is not algebraic). 
The restriction of our results to algebraic reductions is far much weaker than the 
one made in [11] which considers only reductions supplying the adversary with 
a public key which is always the same as its own challenge. It is worth noting 
that our results extend readily to such reductions. 

Algebraic algorithms were originally defined by Boneh and Venkatesan [5] in 
the context of rings of integers modulo n = pq under the form of straight-line 
programs computing polynomials over the ring structure Z n . Here, we stick to 
a (somewhat more natural) definition of algebraicity towards a group structure. 
A formal definition of this property is that an algebraic algorithm TZ admits a 
polynomial time extractor Extract enabling one, given P’s inputs (s, <71, . . . , (jk) € 
{0, 1}* x G fc and random tape w, to recover for any variable h £ G output by 
P after r elementary steps, the coefficients a* such that h = g™ 1 . . . g a k h . Extract 
possibly has non black-box access to IZ and in particular may be given the code 
of IZ. We require that Extract runs in time poly (t, |P|) where 7?. denotes the 
code size of IZ. 

In the sequel, we adopt the notation Pi <*=alg P2 whenever there exists an 
algebraic algorithm IZ such that Pi <=u P2 and Pi =alg Pi when Pi <=-jz 1 
P2 and P2 <=n 2 Pi f° r algebraic reductions Pi , P2 ■ Conversely, the notation 
Pl^alg^ says that there exists no algebraic algorithm IZ such that Pi <=n Pi- 
We define Pi^alg-^2 in a similar way. 


4 It should be mentioned that the GGM suffers from the same separation problems as 
the ROM, see [10]. 
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3 Schnorr is Unbreakable Under the One-More Discrete 
Log Assumption 

We start by showing that Schnorr’s signature scheme E H defined over some 
group G is at least as hard to break that the one-more discrete log problem is 
hard to solve over G. This is a positive security result standing in the standard 
model. 

Theorem 1 (g s -DL <= BK-CMA [Eh])- Assume there exists an adversary A 
against Eh that breaks the secret key under a chosen-message attack with q s 
signature queries and success probability e. Then there exists an algorithm 72 
that solves <? S -DL with probability s' = e in similar time. 

Proof. The description of G = (g) is implicitly given to all parties (this will be 
the case for all reductions and meta-reductions considered in this paper). Assume 
there exists a probabilistic algorithm A that takes as input y = g x , requests the 
signature of q s messages, and outputs the secret key x with probability e after 
t steps. We construct a reduction algorithm 1Z which makes use of A to solve a 
g s -DL instance over G. Algorithm 1Z works as follows. 

72 receives q s + 1 group elements vq , , r f]e , defines y = r o and launches 
A(y, vj) over some random tape w. Now whenever A requests the Schnorr sig- 
nature of a message to*, 72 uses r, to compute c* = H (mj,rj). 72 then queries 
the discrete log oracle to get Sj <— DLom ('D • y Ci ) and returns the signature 
0 -j = (sj,Cj). It is easily seen that this simulation is perfect. 

After at most q s signature queries, A returns ko such that ro = g k ° with 
probability s in which case 72 uses ko to retrieve the discrete logarithm ki = 
Si — koCi mod q of r* for i = 1, . . . , q s . 72 then returns (ko, fci, . . . , k qa ) and 
therefore succeeds in solving g s -DL with probability s’ = e after at most r' = 
rT poly (q s , Time (H) , log q) steps. □ 

4 Schnorr Signatures are Not Unforgeable Under the 
Discrete Log Assumption 

We now show that Schnorr signatures cannot be proven universally unforgeable 
under the discrete log assumption in the standard model with respect to an 
algebraic reduction. We actually show that if such a reduction existed then the 
one-more discrete log assumption would not hold over G. 

Theorem 2. Assume that the one-more discrete log assumption holds. Then 

DL^ alg UF-KOA[E h ]. 

We give a more precise formulation of Theorem 2 in the following lemma. 

Lemma 1. Assume there exists an algebraic reduction algorithm 72 that con- 
verts an (s,t) - universal forger A under a key-only attack into an ( s',T')-solver 
for the discrete logarithm and assume that 72 executes A at most n times. Then 
there exists a meta-reduction algorithm M that solves n - DL with success proba- 
bility e" = e' within time t" = t' + poly (r', |72| , n, Time (H) , log q) . 
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Proof. The rest of the section is dedicated to proving Lemma 1 and we start by 
giving an overview of how the proof works. Assuming the existence of an algebraic 
reduction TZ as above, we construct a meta-reduction M that solves n-DL with 
success probability identical to the one of TZ. Algorithm M. works as follows. 
Given n + 1 group elements ro, . . . , r n £ G, M. launches 7 Z over ro and some 
arbitrary random tape. M. then perfectly simulates at most n executions of the 
adversary A by using n , . . . , r„ and by making requests of discrete logarithms 
to oracle DLom- If TZ outputs ko, M. uses its transcript information to retrieve 
the discrete logs kj of the rfas. 

Tracing IZ’s Internal Group Operations. The reduction algorithm TZ 
takes as input a challenge discrete log instance ro = g k ° and is allowed to invoke 
n times the universal forger A with freely chosen public keys y* = g Xi , messages 
rrii and random tapes tjq where i — 1 , ,n. For our meta-reduction A4 to work, 
however, we must dispose of a constructive way to recover the value of the xfs 
from the one of ko = dl 9 (ro). This is where an additional mechanism is needed. 
We may either choose to dive TZ into the generic model to have access to its 
internal computations involving group elements, or more generally consider TZ 
to be algebraic and let M. dispose of the code of TZ if necessary, i.e. have non 
black-box access to TZ. In the sequel, we impose that TZ is algebraic, and pro- 
vided that the code of TZ is polynomial in length, M. is assumed to dispose of a 
polynomial time extraction procedure Extract (fa), Transcript) = (aq, . . . , x n ). 
Simulation of A. The simulation of a universal forger A(y,m,w) under a 
key-only attack is described as follows. Transcript and j are viewed as global 
variables initialized before A is executed for the first time. 

1. Receive ( y,m,w ) gG x {0,1}* x {0,1}* 

2. Select 6 <— [0, 1] uniformly at random 

3. If 6 > e stop and output T 

4. Else if ( y,m,w ) ( s,c ) £ Transcript for some signature (s, c), stop and 

output (s,c) 

5. Else 

(a) Define r = rj and increment j by 1 

(b) Compute c = H ( m , r) 

(c) Request the discrete log s <— DLom(? 1/ c ) 

(d) Append (y, m, vj) ( s , c) to Transcript 

(e) Output o = (s, c) 

Description of Al. M. takes the first group element ro £ G, initializes j = 
1 and Transcript = 0, and invokes TZ with input ro and arbitrary random 
tape. M. then simulates the universal forger A as above, resulting in a perfect 
simulation. During simulation, M. sends t requests to oracle DLom for some 
i £ [l,n] (therefore l is the value of j after the n successive simulations of A). 
Now assume TZ outputs ko = dl 9 (ro). M then uses its transcript information to 
extract 

(xi, . . . , x n ) = Extract(fa), Transcript) . 
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There are l records of type (y, m, vo) i-> (s, c) in Transcript. Then for j e [1, f], 
if the j-th record is of the form ( g Xi , *,*) i— >■ (s,c) for some i e [l,n] then M 
computes kj = dl s (rj) = s — cxi mod q. At this point, M. knows (ko, hi,..., kf). 
Now for j = 1 + 1 to n, M. directly requests kj = dl fl (rj) to DLom- M. then returns 
( ko , . . . , ke, ki + 1 , . . . , k n ), thereby succeeding in solving n-DL. This occurs with 
probability e" = e' and time r" = t' + poly (V, 7?. , n, Time (H) , log q). □ 

5 Extension to the One-More Discrete Log Assumption 

Theorem 2 shows that under the one-more discrete log assumption, no algebraic 
reduction exists that would reduce the discrete log problem to forging Schnorr 
signatures. This is a big step towards proving that coming up with forgeries 
is strictly easier than extracting discrete logs. One may ask whether a similar 
impossibility result extends to computational problems weaker than DL. We 
provide a positive answer to this question too by showing that if the one-more 
discrete log assumption holds, there can be no algebraic reduction from solving 
any one-more discrete log problem to forging signatures. In other words 

Theorem 3. Assume that the one-more discrete log assumption holds. Then 

t - DL ^ ALG UF-KOA[£h] 


for any integer t > 0. 

Note that Theorem 3 contains Theorem 2 in the special case where t = 0. This 
shows that Schnorr signatures cannot be proven universally unforgeable under 
the one-more discrete log assumption with respect to an algebraic reduction, 
or that if they can, the one-more discrete log assumption does not hold over G, 
thus rendering such a reduction useless. The following lemma captures this more 
precisely. 

Lemma 2. Assume there exists an algebraic reduction algorithm 1Z that con- 
verts an (e, t ) -universal forger A under a key-only attack into an ( e' ,T')-solver 
for t-DL and assume that 1Z executes A at most n times. Then there exists 
a meta-reduction algorithm M. that solves ( t + n)-DL with success probability 
e" = s' within time r" = t 1 + poly (r', \TZ\ , t, n, Time ( H ) , log q). 

Proof (of Lemma 2). The proof is very similar to the one of Lemma 1. We 
therefore avoid details and focus on the changes we apply to extend to the 
general case t-DL, t > 0. Again, from an algebraic reduction 1Z as above, we 
construct M that solves (t + n)-DL with success probability identical to the one 
of n. 

Extraction of Secret Keys. The reduction algorithm 1Z now takes as input 
a t-DL instance 


{ro = g ko ,r 1 = g k \...,r t = g k *) e G t+1 
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calls DLom up to t times and invokes at most n times the universal forger A with 
freely chosen public keys y l = g Xi , messages m* and random tapes zoi where 
i = 1, . . . , n. Since TZ is algebraic and of polynomially bounded size, we dispose 
of a polynomial time extraction procedure Extract(fco, k \, . . . , k t , Transcript) = 
(ad, • • 

Simulation of A. The simulation of the universal forger A is identical to the 
one given in the previous section. 

Simulation of DLom- Since TZ attempts to solve t-DL, we must allow 7 Z to 
send up to t requests to the discrete logarithm oracle DLom- The meta-reduction 
M individually collects these requests, forwards them to DLom and sends the 
corresponding outputs back to 1Z. We may assume that 1Z makes exactly t oracle 
calls since in the case when TZ sends strictly less than t requests during the game, 
M. sends additional requests of discrete logs for randomly chosen group elements 
to DLom on behalf of TZ. This simulation is obviously perfect. 

Overall Description of M . M takes its first t+1 group elements (ro, . . . , r t ) 
among (ro, . . . , 'f't+n), initializes Transcript = 0 and j = 1, and invokes TZ with 
input (ro, . . . ,r t ) and arbitrary random tape. M. then simulates the universal 
forger A and discrete log oracle DLom as above, resulting in a perfect simulation. 
During simulation, M sends t + £ requests to DLom for some £ € [l,n]. Now 
assume TZ succeeds and outputs 

k 0 = dl ff (r 0 ) , ki = dl ff (n) = dip (r t ) . 

M. then uses its transcript information to extract 

(xi, . . . , x n ) = Extract(&o, • • • , k t , Transcript) . 

There are £ records of type (y, m , va) i— ► (s, c) in Transcript. Then for j e [1, £], 
if the j-tli record is of the form ( g Xi ,*,*) i— > (s. c) for some i £ [l,n] then A4 
computes k t +j = dl s (r t+ j) = s — cXi mod q. Thus M. recovers (k t + 1 , . . . , k t +e). 
Now for j = t + 1 + 1 to n, M. directly requests kj = dip (ry) to DLom- Then M. 
returns 

(fcp, Aq , . . . , fc f ) U (k t +i, ■ ■ ■ , k t+ e) U (kt+e+i, ■ ■ ■ , k t+n ) = (ko, ■ ■ ■ , k t+n ) , 

ouput by TZ extracted by M requested to DL 0 m 

thereby succeeding in solving ( t + n)-DL. This occurs with probability e" = s' 
and execution time r" = t' + poly (r', \TZ\, t, n, Time ( H ) , log q). □ 

Summary. Because of the relations 

EF-CMA [E h ] { EF-KOA [S H ] , UF-CMA [S H ] } UF-KOA [S H ] , 

our impossibility results readily extend to forgeries of any kind, under any attack 
model. We summarize our results (also displayed on Figure 2), stating our pos- 
itive and negative security proofs for Schnorr signatures assuming the one-more 
discrete log assumption holds: 
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Fig. 2. Our results for Schnorr’s signature scheme Eh are shown in boxes. In particular, 
universal and existential forgeries under any kind of attack cannot be proven equivalent 
to the discrete log problem via an algebraic reduction. 


Theorem 1: Schnorr’s scheme is unbreakable under chosen-message attacks. 
Theorems 2 and 3: Universal and existential forgeries under any kind of at- 
tack cannot be proven secure under the discrete log assumption or even the 
one-more discrete log assumption with respect to an algebraic reduction. 

6 Applications to Other Signature Schemes 

We extend our results to various signature schemes, adapting our meta-reduction- 
based proof technique to comply with the schemes’ inner design. 


6.1 Guillou-Quisquater 

GQ signatures were suggested by Guillou and Quisquater in [15]. Among other 
properties, GQ is a Fiat-Shamir-transformed signature scheme based on RSA 
and supports identity-based public keys. 

Scheme Parameters and Key Generation. Let p, q be two large primes, set 
n = pq and choose randomly v such that gcd(u, <t>(n)) = 1. The public parameters 
are (n, v) as well as a hash function H : (0, 1}* t— > Z„. Now the signer chooses a 
secret key x r- Z n . The related public key is y = x~ v mod n. 

Signature Generation and Verification. Given a message to, the signer se- 
lects k 4 - Z„, computes r = k v mod n,c=H (to, r) and s = kx c mod n. The sig- 
nature is a = (s, c) . To verify the signature, check whether H (to, s v y c mod n) = c 
Because of their similarity with Schnorr, GQ signatures fit our impossibility 
proofs quite well. However the primitive computational problem here is not DL 
but rather extracting u-th roots modulo n, which we denote of course by RSA. 
The one-more version of RSA is easily defined with the help of an oracle RSAom 
extracting the u-th root of its argument [3]. Solving n-RSA thus consists in 
finding the u-th root of n + 1 elements of Z„ given no more than n invocations 
of RSAom- The one-more RSA assumption says that n-RSA is intractable for 
n > 1. 

Theorem 4. Assume the one-more RSA assumption holds. Then (i) GQ is un- 
breakable under chosen-message attacks, (ii) Universal and existential forgeries 
under any attack cannot be proven secure under the RSA assumption or the 
one-more RSA assumption with respect to an algebraic reduction. 
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Proof (Sketch). We rely on the same proof technique as in the proofs of Theo- 
rems 1, 2 and 3. Here, however, the simulation of the UF-KOA adversary A must 
be slightly reformulated. An overall description of our meta-reduction M is as 
follows. The reduction algorithm 1Z takes as input a f-RSA instance 

(r 0 = fcg mod n, rq = k\ mod n, . . . ,r t = kf mod n ) e Z^ +1 , 

calls RSAom up to t times and calls the forger A at most n times with public keys 
Vi = Xi~ v mod n, messages to* and random tapes zu,, where i = 1, . . . , n. Since 
1Z is algebraic, M is assumed to dispose of a polynomial time extraction pro- 
cedure Extract(/co, Aq , . . . , k t , Transcript) = (aq, . . . , x n ). Now when simulating 
A(y, m, zu) for new inputs (y, m, zu ) , if A4 must compute a forgery then M. takes 
r = rj, computes c = H ( m,r ) and requests the i;-th root s <— RSAom ( ry _c mod 
n). The simulation is perfect. After recovering (aq , . . . , x n ) from (fco, . . . , k t ), 
M. consults its transcript and if the j-th entry is (x( v mod n, *, *) i— > (s,c) 
for some i then M. computes h t +j = sx\ = ifr t +j mod n. The unused inputs 
r t +e+ 1 , . . . , r t+n are sent by JA to RSAom to retrieve their v-th root directly. 
Following this slightly modified description of M , one gets as before e" = e' and 
t" = t' + poly (r', |72.|,*, n, Time ( H ) , log q). □ 

6.2 DSA, ECDSA and Generic DSA 

DSA is a signature scheme standardized by the NIST in 1991 [9]. The original 
version of DSA is based on the discrete log problem over the subgroup of Z* of 
prime order q\p— 1. ECDSA, standardized as well [1], presents the same structure 
but is defined over a prime-order subgroup of an elliptic curve. We consider here 
their generalization to arbitrary prime-order groups as suggested by Brown in [7]. 
Scheme Parameters and Key Generation. Again, G = ( g ) denotes a group 
of prime order q. The public parameters are (G, g), a function G : G^2, and 
a hash function H : {0, 1}* i— > Z g . The signer chooses a secret key x <— Z g . The 
related public key is y = g x £ G. 

Signature Generation and Verification. Given a message m, the signer 
selects k <— Z*, computes r = g k , p = G(r), u = H (m) and s = k~ 1 (u + 
px) mod q. The signature is cr = (p,s). To verify the signature, check whether 
G (g H ( m )/ s • yP/ s ) = p. 

Note that the original DSA corresponds to the case where G = (Z *) <p 1 ^ q , 
\q\ = 160, H = SHA-1 and G(r) = r mod q. Let E be an elliptic curve group over 
a finite field admitting an element P of prime order q with = 160. ECDSA 
is obtained with g = P, G = (g), H = SHA-1 and G(r ) = x r mod q where x r is 
an integer representation of the x-coordinate of point r. 

Before stating our security results, we define a variant of the one- more dis- 
crete log problem n-DL as follows. n-DL* consists in computing the discrete 
logs with respect to a fixed base g of n + 1 group elements with bounded 
(to n) access to a discrete log oracle DLqm- Unlike DLom which was limited 
to the fixed base g, DLq M provides discrete logarithms with respect to any 
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base h £ G meaning that DLo M (/i“, h) returns a for any h £ G. Although 
0-DL* = DL = 0-DL, one only has in the general 5 case n-DL* <= n-DL for n > 1. 
The one-more free-base discrete log assumption says that n-DL* is intractable 
for n > 1. 

Theorem 5. Assume the one-more free-base discrete log assumption holds. 
Then (i) Generic DSA is unbreakable under chosen-message attacks, (ii) Uni- 
versal and existential forgeries under any attack cannot be proven secure under 
the discrete log assumption or the one-more free-base discrete log assumption 
with respect to an algebraic reduction. 

Proof (Sketch). We use the same proof technique as for Theorem 1 and Lemmas 1 
and 2. What we are after is a reduction g s -DL* BK-CMA [Generic-DSA] as well 
as a means to simulate an UF-KOA adversary A leading to a meta-reduction M. 
such that if t-DL* UF-KOA [Generic-DSA] where 7 Z is limited to n executions 

of UF-KOA [Generic-DSA], then n-DL* <=m 77. We first have to show how to 
simulate a signing oracle without knowing the secret key. Remembering that the 
simulator is given group elements {rj } for j £ [1, q s ] or [t+l.t + n], the signature 
simulation is as follows. For a given public key y = g x £ G and a message rn. we 
define r = rj and compute p = G(r) and u = H (m). We then invoke DLq M to 
get 

«= dl om {q u ■ V p ,r) ■ 

It is easy to see that if we write r = g k then s conforms to the equation 
s = fc _1 (n + px) mod q. The simulator then outputs cr = (p. s). The simulation 
is obviously perfect. We now have to show how to recover kj = dl 9 (rj) from a) 
either the list of secret keys {xi} given to simulation number i £ [1, q s ] or [1, n] b) 
or from the outputs ko,...,k t of1Z. Since 77 is algebraic, the key extraction pro- 
cedure using Transcript leads case b) to case a). Therefore, we are left with the 
task of recovering kj from x % and the transcript of our simulations. This is easily 
done by inverting the signature formula to recover kj = s -1 (u + pxf) mod q. □ 

6.3 KCDSA and Trusted ElGamal Signatures Type I 

DSA and DSA-like signature schemes have been extended in many ways. We 
focus on a generalization called TEGTSS-I put forward by Brickell et a 1. in [6]. 
This extension contains the korean standard KCDSA [17] as a particular case. 
Scheme Parameters and Key Generation. Let G = (g) be a group of 
prime order q. Now define three functions /i : Z q i— > Z g , fc : i— > Z g and 

fs : Z 5 i— > Z q such that for any integers k, x,u,p£ Z q , 

if s = fi(k, x, u, p) then f^ (s, u, p) + xf 3 ( s , u,p) = k mod q . 

The public parameters are (G, g, /1, /2, fs), a function G : G h Z, and a hash 
function H : {0, 1}* 1— > Z q . The signer chooses a secret key x <— Z q . The related 
public key is y = g x £ G. 


The converse is unknown. 
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Signature Generation and Verification. Given a message to, the signer 
selects k «— Z*, computes r = g k , p = G(r), u = H (to) and s = fi(k,x,u, p). 
The signature is cr = (p, s). To verify the signature, compute u = H (to), a = 
f 2 (s, u, p), (3 = f 3 (s, u, p) and check whether G ( g a ■ y@) = p. 

KCDSA fulfils this description where G = (Z *) ( ' p = (g), H and G are 

hash functions mapping Z p to Z g , and frmctions fi , f 2 , f 3 are defined by 

fi(k,x,u,p) = (k - u® p)/x mod q , 
h(s,u,p) = u®p, 
f 3 (s,u,p) = s . 

Before stating any security property of TEGTSS-I signatures, we leave as an 
exercise to the reader to prove the following property. 


Claim. Let /1 , f 2 , /s be functions as above. Then there exist efficiently com- 
putable functions < 5 i, 62, S3 , and e mapping Z^ to Z g and such that <b (u. p) ^ 0 , 
S 3 (u, p) ■ 64 ,(u, p) ^ 0 , e(u, p) ^ 0 for any u,pG Z g and 


fi(k,x,u,p) = 
h{s-u,p) = 
h(s,u,p) = 


( Si{u, p)k + 6 2 (u, p) \ 
\S 3 (u, p)x + 5 4 {u, p) ) 
5 A {u,p)s< u ^ -6 2 (u,p) 
Si(u,p) 

63(11, p)s< u ’r) 

Si(u,p) ’ 


(1) 

(2) 

( 3 ) 


where all evaluations are modulo q. 


As an illustration, KCDSA yields 6i(u, p) = 1 , S 2 (u, p) = —u®p, ^(u, p) = 1 , 
64,(11, p) = 0 and e(u,p ) = 1 . Note that DSA is also a particular case if we set 
6i(u,p ) = 1 , 6 2 (u,p) = 0 , 6 3 (u,p) = p, 64(11, p) = u and e(u,p ) = — 1 . We 
now state our security results. As for Generic DSA, we rely on n-DL* and the 
one-more free-base discrete log assumption: 


Theorem 6 . Let E be a signature scheme of type TEGTSS-I. Assume the one- 
more free-base discrete log assumption holds. Then (i) E is unbreakable under 
chosen-message attacks, (ii) Universal and existential forgeries under any attack 
cannot be proven secure under the discrete log assumption or the one-more free- 
base discrete log assumption with respect to an algebraic reduction. 


Proof (Sketch). Here again, we make use of the proofs of Theorem 1 , Lemmas 1 
and 2 . As discussed earlier, it is necessary to show how to simulate a signing ora- 
cle without knowing the secret key. Recall the simulator is given group elements 
{fj } for j e [ 1 , q s ] or [t + l,t + n] . Now the signature simulation is as follows. For 
a given public key y = g x € G and a message to, we define r = fj and compute 



Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log 


15 


p = G(r) and u = H (m). Using our claim above, we compute = Si(u,p) for 
i <G [1,4] and then invoke DLq M to get 


( u , p ) _<Si(u,p) . S 2 ( u , p ) 




Now writing r = g k , we easily see that s conforms to the signature equation s = 
fi(k,x,u, p) mod q. The simulator then outputs cr = ( p,s ) and the simulation 
is perfect. Following the same argument as in the proof of Theorem 5, we now 
have to show how to recover kj from x, and the transcript of our simulations. 
This directly follows from the definition of TEGTSS-I since kj = f 2 (s,u,p) + 
Xi ■ h{s, u, p) mod q. □ 


6.4 Trusted ElGamal Signatures Type II 

Trusted ElGamal signatures of type II form another family of discrete-log- 
based signatures and were also suggested by Brickell et a 1. in [6]. TEGTSS- 
II are similar to TEGTSS-I in that functions /i,/ 2,/3 are defined along the 
same lines and the generation of the public parameters and user keys is 
identical. 

Signature Generation and Verification. Given a message to, the signer 
selects k «— Z*, computes r = g k , p= G(r), u= H (to, p) and s = fi(k, x, u, p). 
The signature is a = ( p,s ). To verify the signature, compute u = H(m,p), 
a = f 2 (s, u,p ), /? = u, p) and check whether G ( g a ■ y@) = p. 

Therefore, TEGTSS-II signatures define u = H (to, p) instead of u = H (to) 
while generating or verifying the signature. It is straightforward that Theorem 6 
still applies in this case. The proof is identical except that the signature simulator 
now defines r = rj and computes p = G(r) and u = H (to, p). 


6.5 ElGamal and Meta-ElGamal Signatures 

ElGamal signatures were suggested in 1984 [12] and generalized later by Horster, 
Michels and Petersen [16]. We consider here a similar generalization to arbitrary 
prime-order groups. 

Scheme Parameters and Key Generation. Let G = (g) be a group of 
prime order q. Define three functions Fj, F 2 , F 3 : G x {0,1}* x Z g such that 
Fj(r, to, s) is linear in s for % 6 [1,3]. Fi, F 2 and F 3 may involve arbitrarily many 
hash functions. The public parameters are (G,g,Fi,F 2 ,F 3 ). The signer selects 
a secret key x Z q . The public key is y = g x e G. 

Signature Generation and Verification. Given a message to, the signer 
selects k <— Z*, computes r = g k and solves the linear equation 


Fi(r,m,s) = x ■ F 2 (r,m,s) + k ■ F 3 (r,m, s ) mod q 


(4) 
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which solution is some s £ Z q . The signature is then a = (r.s) £ G x Z, ( . To 
verify the signature, check whether 

^ir,m,s )=yF2 

Original ElGamal signatures define G as the subgroup of order q\p — 1 of 
Z*, Fi(r,m,s) = m or for long messages F\(r,m,s) = H (to) where f? is a 
hash function mapping strings to Z g , Fgfr, m,s)=r mod q and F 3 (r, m, s) = s. 
We now give our results for any Meta-ElGamal scheme i.e. for any choice of 
Fi,F 2 ,F 3 as above. We still rely on n-DL* and the one-more free-base discrete 
log assumption. 

Theorem 7. Let F be a Meta-ElGamal signature scheme. Assume the one-more 
free-base discrete log assumption holds. Then (i) F is unbreakable under chosen- 
message attacks, (ii) Universal and existential forgeries under any attack cannot 
be proven secure under the discrete log assumption or the one-more free-base 
discrete log assumption with respect to an algebraic reduction. 

Proof (Sketch). As discussed above, it is enough to show how to simulate a 
signing oracle without knowing the secret key and recover kj from x afterwards. 
Recalling that the simulator is given group elements {rj} for j £ [1, q s ] or [t + 
1, t+n], the signature simulation is as follows. For a given public key y = g x & G 
and a message to, we define r = r :t and compute (as functions of to and r) the 
coefficients a\,b\,a 2 ,b 2 ,a 3 and 63 such that Fj(r, to, s) = oqs + bi for i £ [1,3]. 
We then call DI_q M to get 

s = DL * 0M (g ai y- a2 r- a3 ,g- bl y b2 r b3 ) . 

Obviously, s conforms to the verification equation. The simulator then outputs 
a = (r, s ) and the simulation is perfect. Now when 1Z or M. knows all the 
values of x, the transcript of the simulation involving r, leads to specific values 
for (r, to, s). Then kj is recovered as the unique solution in k of the signature 
equation Eq. 4. □ 

7 Impossibility Results in the Random Oracle Model 

All known reductions attesting the unforgeability of Fiat-Shamir-transformed 
signatures in the random oracle model lead to a loss factor close to qh in terms 
of execution time or success probability [19]. Since a reasonable bound on the 
number of possible hash queries is around qu = 2 80 , this loss definitely makes 
these reductions loose, and subsequently imply larger keys and lowered perfor- 
mances. There exists no proof that this loss factor is necessary. The following 
theorem states however, that if the one-more discrete logarithm assumption holds 
then each and every algebraic reduction from computing the discrete logarithm 
to forging Schnorr signatures must lose at least a factor y/qn- 

We note that a similar result can be extended to the one-more discrete log 
problems. Also, although we do not extend our work further in this direction, 
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it is easily seen that this result applies to the random-oracle security of other 
signature schemes as well. We start by stating a few statistical facts. 

Lemma 3 (Birthday paradox). We consider an experiment in which n ob- 
jects are drawn uniformly at random from a set of m elements. Then, 

1. the probability of selecting the same element twice is 


P(m,n) = 1 


m(m— — n+1) 


2. when n = 0(y/m) and as m — > oo, one gets 

P(m,„) - 1 - exp + O (-L)) = 1 -exp (-£) . 

Lemma 4. Let q be a rational prime number, then 

|GL n (F,)| = (q n - l)(q n - q)(q n - q 2 ) . . . ( q n - q n ~ x ) . 

Therefore, the probability z(n, q) that an n x n matrix picked at random is non- 
invertible is 

z(n q) = 1 - (9” ~ 1 )(g" ~ g)(g" ~ g 2 ) • • • (g n ~ Q n ~ X ) < n 
q n2 ~ q ' 

Theorem 8. Assume there exists an algebraic reduction algorithm TZ that con- 
verts an (£,T,qn) -universal forger A under a key-only attack in the random 
oracle into an (s' ,t') -solver for the discrete logarithm and assume that TZ ex- 
ecutes A at most n times. Then there exists a probabilistic algorithm M. that 
solves n-DL with success probability e" > s’ ■ exp ~ g) vrt ^ l ' tn 

t " = t ’ + poly ( t ', \lZ\,n,q H , log q). 

Proof. Assuming the existence of an algebraic reduction 1Z as above, we con- 
struct a meta-reduction M that solves n-DL. 1Z takes as input a challenge dis- 
crete log instance ro = g k ° and is allowed to invoke n times the universal forger 
A with freely chosen public keys yi = g Xi , messages to* and random tapes Wi 
where i = 1, ... ,n. Without loss of generality, we may assume that the n invo- 
cations of 1Z, are pairwise distinct i.e. that two distinct executions of A differ in 
the value of the public key and/or the random tape, and/or at least one value 
returned by the random oracle H of 1Z. 

Simulation of A. M attempts to simulate at most n executions of the adver- 
sary A by using the vector of group elements r = (n, . . . , r n ) and by making 
requests to the discrete-log oracle DLom- More specifically, the <-th invocation 
of A is simulated as follows: 

1. Receive ( ) eGx {0,1}* x {0,1}* 

2. For h e [1, qn ] 
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(a) Randomly select cth <— (Z g ) n 

(b) Query H to get Ch = H ( m* , r ah ) 

3. Randomly select li <— [1 ,qn\ 

(a) Set Cj <— C( t and Pi <— a 

(b) Request s,- <— DLom (r 13 * ■ i/-*) 

(c) Append (y*, to*, tu*) i— > (sj,Cj) and (li,Pi) to Transcript 

4. Pick at random <5 € [0, 1] 

5. If 6 > £ return _L 

6. Else return <jj = (sj,Cj) 

Here, if a = (ai, . . . , a w ) and b = (bi , . . . , b w ) then a b stands for n«=i Note 
that all random selections made by A are in fact pseudo-random in zui and all 
hash values Ch defined by H when the selection takes place. 

Extraction of Discrete Logs. Again, we assume that M disposes of a poly- 
nomial time extraction procedure Extract(fej, Transcript) = (.iq x n ) i.e. we 

consider 1Z to be algebraic. Therefore, if 1Z outputs ko, Ai uses its transcript 
information to retrieve the discrete logs Xi of the y^s. Now Ai attempts to solve 
over Z q the linear system 


( Pi ■ k = si — Ci ■ Xi mod q 
[ p n ■ k = s n — c n ■ x n mod q , 

where the unknowns are k = (ki , . . . , k n ) and a ■ b denotes the dot product of 
vectors. The solution k is easily found using linear algebra as soon as vectors 
Pi, . . . ,P n are linearly independent. Two mutually exclusive cases may occur. 

1. V i,j € [1, n] with i ^ j, one has li ^ £j. Then by Lemma 4, we get 

Pr [det(/3i , P„) = 0] = z(n, q) . 

Then with probability 1 — z(n,q), Ai recovers k and succeeds in solving 
n-DL. 

2. 3 i.j £ [l,n] with i ^ j such that Q = lj . Then the reduction Ai may 
fail because it might be the case that Pi = Pj while s* — cyXi ^ sj — 
CjXj mod q resulting in that the system above is not solvable. The probability 
of this event is unknown and depends on how 1Z modified its simulation of H 
between two executions of A. Since distinct executions of A are not identical 
and the values of the ti s are picked pseudo-randomly after all H queries 
have been made, we invoke Lemma 3 to see that a collision = lj occurs 
with probability 


Pr [3 i, j € [l,n\,li = lj] = P(q H , n) . 
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Since Pr [M fails] < Pr [3 i, j e [1 ,n\,£i = lj ] , noting e" the success probability 
of M, we finally get 

e" > s' • (1 - P{q H ,n)) • (1 - z(n,q)) m s' • exp • 

The execution time of M. is upper-bounded by r' + poly (r', \1Z\, n, qn, log q). □ 

Our result can be interpreted as follows. When n is smaller than ^fqn, the 
ratio s" /s' remains negligibly close to 1 and the algebraic reduction algorithm 
1Z cannot exist if n-DL is intractable over G. However when n ^Jqn, the ratio 
e" I e' becomes rapidly negligibly close to 0 as n increases, allowing 7 Z to exist 
in the sense that having a substantial s' does not lead us to solve n-DL with 
substantial success probability anymore. 

8 Conclusion 

We believe that our results pose new challenging questions about the standard- 
model security of common signature schemes. Focusing specifically on Schnorr’s 
scheme, one might wonder what security level is actually reached in real life, 
as DL cannot be at reach of a humanly conceivable reduction. Could Schnorr 
signatures be proven secure under the CDH or DDH assumption? Can one prove 
a similar separation with these assumptions? What can be said in this regard 
about other signature schemes like ElGamal, DSA, GQ, etc. ? 

Concerning the random oracle model, we leave it as an open problem to find 
a more efficient meta-reduction M. that is, to come up with a proof that a factor 
close to qu must be lost in any random-oracle-based algebraic reduction TZ. 
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Abstract. The aim of this paper is to justify the common cryptographic 
practice of selecting elliptic curves using their order as the primary cri- 
terion. We can formalize this issue by asking whether the discrete log 
problem (dlog) has the same difficulty for all curves over a given fi- 
nite field with the same order. We prove that this is essentially true 
by showing polynomial time random reducibility of DLOG among such 
curves, assuming the Generalized Riemann Hypothesis (GRH). We do so 
by constructing certain expander graphs, similar to Ramanujan graphs, 
with elliptic curves as nodes and low degree isogenies as edges. The re- 
sult is obtained from the rapid mixing of random walks on this graph. 

Our proof works only for curves with (nearly) the same endomorphism 
rings. Without this technical restriction such a DLOG equivalence might 
be false; however, in practice the restriction may be moot, because all 
known polynomial time techniques for constructing equal order curves 
produce only curves with nearly equal endomorphism rings. 

Keywords: random reducibility, discrete log, elliptic curves, isogenies, 
modular forms, L-functions, generalized Riemann hypothesis, Ramanu- 
jan graphs, expanders, rapid mixing. 

1 Introduction 

Public key cryptosystems based on the elliptic curve discrete logarithm (dlog) 
problem [22,34] have received considerable attention because they are currently 
the most widely used systems whose underlying mathematical problem has yet to 
admit subexponential attacks (see [3,31,46]). Hence it is important to formally 
understand how the choice of elliptic curve affects the difficulty of the result- 
ing DLOG problem. This turns out to be more intricate than the corresponding 
problem of dlog over finite fields and their selection. 
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To motivate the questions in this paper, we begin with two observations. 
First, we note that one typically picks an elliptic curve at random, and examines 
its group order (e.g. to check if it is smooth) to decide whether to keep it, or 
discard it and pick another one. It is therefore a natural question whether or 
not dlog is of the same difficulty on curves over the same field with the same 
number of points. Indeed, it is a theorem of Tate that curves E\ and defined 
over the same finite field F g have the same number of points if and only if 
they are isogenous , i.e., there exists a nontrivial algebraic group homomorphism 
<j>: Ei — > E 2 between them. If this <j> is efficiently computable and has a small 
kernel over F g , we can solve dlog on E\, given a dlog oracle for E%. 

Secondly, we recall the observation that dlog on (Z/pZ)* has random self- 
reducibility: given any efficient algorithm A(g x ) = x that solves dlog on a 
polynomial fraction of inputs, one can solve any instance y = g x by an expected 
polynomial number of calls to A with random inputs of the form A(g r y). Thus, 
if DLOG on (Z/pZ)* is hard in a sense suitable for cryptography at all (e.g., has 
no polynomial on average attack), then all but a negligible fraction of instances 
of DLOG on (Z/pZ)* must necessarily be hard. This result is comforting since 
for cryptographic use we need the DLOG problem to be hard with overwhelming 
probability when we pick inputs at random. The same random self-reduction 
statement also holds true for DLOG on any abelian group, and in particular 
for dlog on a fixed elliptic curve. We consider instead the following question: 
given a polynomial time algorithm to solve DLOG on some positive (or non- 
negligible) fraction of isogenous elliptic curves over F g , can we solve dlog for 
all curves in the same isogeny class in polynomial time? In this paper we show 
that the answer to this question is essentially yes, by proving (assuming GRH) 
the mixing properties of random walks of isogenies on elliptic curves. It follows 
that if DLOG is hard at all in an isogeny class, then DLOG is hard for all but a 
negligible fraction of elliptic curves in that isogeny class. This result therefore 
justifies, in an average case sense, the cryptographic practice of selecting curves 
at random within an isogeny class. 

1.1 Summary of Our results 

The conventional wisdom is that if two elliptic curves over the same finite field 
have the same order, then their discrete logarithm problems are equally hard. 
Indeed, this philosophy is embodied in the way one picks curves in practice. How- 
ever, such a widely relied upon assertion merits formal justification. Our work 
shows that this simplified belief is essentially true for all elliptic curves which 
are constructible using present techniques, but with an important qualification 
which we shall now describe. 

Specifically, let SN,q denote the set of elliptic curves defined over a given finite 
field F g , up to Fg-isomorphism, that have the same order N over F g . We split 
S N,q into levels (as in Kohel [23]), where each level represents all elliptic curves 
having a particular endomorphism ring over F g . The curves in each level form 
the vertices of an isogeny graph [10,11,33], whose edges represent prime degree 
isogenies between curves of degree less than some specified bound m. 
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Theorem 1.1. (Assuming GRH) There exists a polynomial p(x), independent 
of N and q, such that for m = p(log q) the isogeny graph Q on each level is 
an expander graph, in the sense that any random walk on Q will reach a subset 
of size h with probability at least after polylog(q') steps (where the implicit 
polynomial is again independent of N and q). 

Corollary 1.2. (Assuming GRH) The dlog problem on elliptic curves is ran- 
dom reducible in the following sense: given any algorithm A that solves dlog 
on some fixed positive proportion of curves in fixed level, one can probabilisti- 
cally solve dlog on any given curve in that same level with polylog(g r ) expected 
queries to A with random inputs. 

The proofs are given at the end of Section 4. These results constitute the 
first formulation of a polynomial time random reducibility result for the elliptic 
curve dlog problem which is general enough to apply to typical curves that 
one ordinarily encounters in practice. An essential tool in our proof is the nearly 
Ramanujan property of Section 3, which we use to prove the expansion properties 
of our isogeny graphs. The expansion property in turn allows us to prove the 
rapid mixing of random walks given by compositions of small degree isogenies 
within a fixed level. Our method uses GRH to prove eigenvalue separation for 
these graphs, and provides a new technique for constructing expander graphs. 

The results stated above concern a fixed level. One might therefore object 
that our work does not adequately address the issue of dlog reduction in the 
case where two isogenous elliptic curves belong to different levels. If an attack 
is balanced, i.e., successful on each level on a polynomial fraction of curves, then 
our results apply. However, if only unbalanced attacks exist, then a more general 
equivalence may be false for more fundamental reasons. Nevertheless, at present 
this omission is not of much practical importance. First of all, most random 
curves over F, belong to sets Sn, q consisting of only one level (see Section 6); for 
example, in Figure 1, we find that 10 out of the 11 randomly generated curves 
appearing in international standards documents have only one level. Second, 
if the endomorphism rings corresponding to two levels have conductors whose 
prime factorizations differ by quantities which are polynomially smooth, then 
one can use the algorithms of [11, 23] to navigate to a common level in polyno- 
mial time, and then apply Corollary 1.2 within that level to conclude that DLOG 
is polynomial-time random reducible between the two levels. This situation al- 
ways arises in practice, because no polynomial time algorithm is known which 
even produces a pair of curves lying on levels whose conductor difference is not 
polynomially smooth. It is an open problem if such an algorithm exists. 

Our use of random walks to reach large subsets of the isogeny graph is crucial, 
since constructing an isogeny between two specific curves 1 is believed to be 
inherently hard, whereas constructing an isogeny from a fixed curve to a subset 

1 If one uses polynomial size circuits (i.e., polynomial time algorithms with exponential 
time pre-processing) for reductions, then one can relate DLOG on two given curves. 
This claim follows using the smallness of diameter of our graphs and the smoothness 
of the degrees of isogenies involved. We omit the details. 



24 


D. Jao, S.D. Miller, and R. Venkatesan 



Fig. 1 . A table of curves recommended as international standards [16,36]. Note that 
the value of c-k for each of the standards curves is small (at most 3), except for the 
curves in the NIST K (Koblitz curve) family. These phenomena are to be expected and 
are explained in Section 6. Any curve with = 1 has the property that its isogeny 
class consists of only one level. It follows from the results of Section 1.1 that randomly 
generated elliptic curves with c* = 1 (or, more generally, with smooth c n ) will have 
discrete logarithm problems of typical difficulty amongst all elliptic curves in their 
isogeny class. 

constituting a positive (or polynomial) fraction of the isogeny graph is proved 
in this paper to be easy. Kohel [23] and Galbraith [11] present exponential time 
algorithms (and thus exponential time reductions) for navigating between two 
nodes in the isogeny graph, some of which are based on random walk heuristics 
which we prove here rigorously. Subsequent papers on Weil descent attacks [12, 
32] and elliptic curve trapdoor systems [45] also use isogeny random walks in 
order to extend the GHS Weil descent attack [13] to elliptic curves which are 
not themselves directly vulnerable to the GHS attack. Our work does not imply 
any changes to the deductions of these papers, since they also rely on the above 
heuristic assumptions involving exponentially long random walks. In our case, we 
achieve polynomial time instead of exponential time reductions; this is possible 
since we keep one curve fixed, and random reducibility requires only that the 
other curve be randomly distributed. 


2 Preliminaries 

Let E\ and E% be elliptic curves defined over a finite field F g of characteristic p. 
An isogeny <p: E\ — > E^ defined over F g is a non-constant rational map defined 
over F g which is also a group homomorphism from -Ei(F g ) to F g ) [42, §111.4]. 
The degree of an isogeny is its degree as a rational map. For any elliptic curve 
E: y 2 + a\xy + 0,3 y = a; 3 + a^x 2 + a±x + ae defined over F g , the Frobenius 
endomorphism is the isogeny -it: E — > E of degree q given by the equation 
7r (x,y) = ( x q ,y q ). It satisfies the equation 


— Trace(FJ)7r + q = 0, 
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where Trace(E) = q + 1 — #E( F g ) is the trace of the Frobenius endomorphism 
of E over F g . The polynomial p(X) := X 2 — Tr&ce(E)X + q is called the char- 
acteristic polynomial of E. 

An endomorphism of E is an isogeny E —> E defined over the algebraic closure 
F g of F g . The set of endomorphisms of E together with the zero map forms 
a ring under the operations of pointwise addition and composition; this ring 
is called the endomorphism ring of E and denoted End (A). The ring End (A) 
is isomorphic either to an order in a quaternion algebra or to an order in an 
imaginary quadratic field [42, V.3.1]; in the first case we say E is supersingular 
and in the second case we say E is ordinary. In the latter situation, the Frobenius 
endomorphism tt can be regarded as an algebraic integer which is a root of the 
characteristic polynomial. 

Two elliptic curves E\ and E 2 defined over F g are said to be isogenous over 
Fg if there exists an isogeny </>: Ei — > E 2 defined over F g . A theorem of Tate 
states that two curves E\ and E 2 are isogenous over F g if and only if #Ei (Fg) = 
#E 2 (¥ q ) [43, §3]. Since every isogeny has a dual isogeny [42, III. 6.1], the property 
of being isogenous over F g is an equivalence relation on the finite set of F q - 
isomorphism classes of elliptic curves defined over F g . We define an isogeny class 
to be an equivalence class of elliptic curves, up to Fg-isomorphism, under this 
equivalence relation; the set Sn, q of Section 1.1 is thus equal to the isogeny class 
of elliptic curves over F g having cardinality N. 

Curves in the same isogeny class are either all supersingular or all ordinary. 
We assume for the remainder of this paper that we are in the ordinary case, 
which is the more interesting case from the point of view of cryptography in light 
of the MOV attack [30]. Theorem 1.1 in the supersingular case was essentially 
known earlier by results of Pizer [37, 38] , and a proof has been included for 
completeness in Appendix A. 

The following theorem describes the structure of elliptic curves within an 
isogeny class from the point of view of their endomorphism rings. 

Theorem 2.1. Let E and E' be ordinary elliptic curves defined over F g which 
are isogenous over ¥ q . Let K denote the imaginary quadratic field containing 
End(-E), and write Ok for the maximal order (i.e., ring of integers) of K. 

1. The order End(E) satisfies the property Z[7t] C End(E) C Ok- 

2. The order End(E') also satisfies End(-E') c K and Z[7t] C End(E') C Ok- 

3. The following are equivalent: 

(a) End(E) = End(E')- 

(b) There exist two isogenies cp: E — > E' and tp: E — > E' of relatively prime 
degree, both defined over ¥ q . 

(c) [O k ■ End(E)] = [O k ■ End(E')]. 

(d) [End(E) : Z[t r]] = [End(E') : Z[t r]]. 

4- Let (/>: E — > E' be an isogeny from E to E' of prime degree £, defined over 

Fg. Then either End(E) contains End(E / ) or End(E / ) contains End(E), and 

the index of the smaller in the larger divides l. 
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5. Suppose £ is a prime that divides one of [Ok ■ End(F)] and [Ok ■ End(-E')], 
but not the other. Then every isogeny (j>: E — > E' defined over F g has degree 
equal to a multiple of t. 

Proof. [23, §4.2], 

For any order O C Ok, the conductor of O is defined to be the integer [Ok ■ O). 
The field K is called the CM field of E. We write c.r for the conductor of 
End (A) and c* for the conductor of Z[tt\. Note that this is not the same thing 
as the arithmetic conductor of an elliptic curve [42, §C.16], nor is it related 
to the conductance of an expander graph [21]. It follows from [4, (7.2) and 
(7.3)] that End(.E) = Z + crOk and D = c 2 E dK, where D (respectively, d/<-) 
is the discriminant of the order End(E) (respectively, Ok)- Furthermore, the 
characteristic polynomial p(X) has discriminant d n = disc(p(W)) = Trace(E) 2 — 
4 q = disc(Z[7r]) = c 2 dK, with c n = cr ■ [End(E) : Z[7r]]. 

Following [10] and [11], we say that an isogeny <j>: E — > E' of prime degree 
£ defined over F g is “down” if [End(F) : End(-E')] = £, “up” if [End(-E') : 
End(.E)] = £, and “horizontal” if End(F) = End(F). The following theorem 
classifies the number of degree £ isogenies of each type in terms of the Legendre 
symbol (y). 

Theorem 2.2. Let E be an ordinary elliptic curve over ¥ q , with endomorphism 
ring End(F) of discriminant D. Let £ be a prime different from the characteristic 
of F,. 

— Assume £\ cr. Then there are exactly 1+ (y) horizontal isogenies <f>: E —> E 1 
of degree £. 

• If £\ c n , there are no other isogenies E — > E' of degree l over F g . 

• If £\ c w , there are £ — (y) down isogenies of degree £. 

— Assume £\cr. Then there is one up isogeny E — > E' of degree £. 

• If £\ ff-, there are no other isogenies E — > E' of degree £ over F g . 

• If 1 1 there are l down isogenies of degree £. 

Proof. [10, §2.1] or [11, §11.5]. 

It follows that the maximal conductor difference between levels in an isogeny 
class is achieved between a curve at the top level (with End(F) = Ok) and a 
curve at the bottom level (with End(F) = Z[7r]). 


2.1 Isogeny Graphs 

We define two curves E\ and E -2 in an isogeny class Sm,<i to have the same level 
if End(-Ei) = End(F 2 ). An isogeny graph is a graph whose nodes consist of all 
elements in S,N, q belonging to a fixed level. Note that a horizontal isogeny always 
goes between two curves of the same level; likewise, an up isogeny enlarges the 
size of the endomorphism ring and a down isogeny reduces the size. Since there 
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are fewer elliptic curves at higher levels than at lower levels, the collection of 
isogeny graphs under the level interpretation visually resembles a “pyramid” or 
a “volcano” [10], with up isogenies ascending the structure and down isogenies 
descending. 

As in [15, Prop. 2.3], we define two isogenies <j>: E\ — > Ez and <j)' : E\ — > Ei 
to be equivalent if there exists an automorphism a £ AutfA-i) (he., an invertible 
endomorphism) such that <j>' = o.(p. The edges of the graph consist of equivalence 
classes of isogenies over F g between elliptic curve representatives of nodes in the 
graph, which have prime degree less than the bound (log q) 2+5 for some fixed 
constant 6 > 0. The degree bound must be small enough to permit the isogenies 
to be computed, but large enough to allow the graph to be connected and to 
have the rapid mixing properties that we want. We will show in Section 4 that 
there exists a constant 6 > 0 for which a bound of (log q) 2+s satisfies all the 
requirements, provided that we restrict the isogenies to a single level. 

Accordingly, fix a level of the isogeny class, and let End(.E) = O be the 
common endomorphism ring of all of the elliptic curves in this level. Denote by 
Q the regular graph whose vertices are elements of Sn. (] with endomorphism ring 
O, and whose edges are equivalence classes of horizontal isogenies defined over 
F g of prime degree < (log q) 2+6 ■ By standard facts from the theory of complex 
multiplication [4, §10], each invertible ideal aC O produces an elliptic curve C/a 
defined over some number field LcC (called the ring class field of O) [4, §11]. 
The curve C/a has complex multiplication by O, and two different ideals yield 
isomorphic curves if and only if they belong to the same ideal class. Likewise, 
each invertible ideal ficO defines an isogeny C/a — > C/ab _1 , and the degree of 
this isogeny is the norm N(b) of the ideal 6. Moreover, for any prime ideal in L 
lying over p, the reductions mod fp of the above elliptic curves and isogenies are 
defined over F g , and every elliptic curve and every horizontal isogeny in Q arises 
in this way (see [11, §3] for the p > 3 case, and [12] for the small characteristic 
case). Therefore, the isogeny graph Q is isomorphic to the corresponding graph 
H whose nodes are elliptic curves C/a with complex multiplication by O, and 
whose edges are complex analytic isogenies represented by ideals 6 C 0 and 
subject to the same degree bound as before. This isomorphism preserves the 
degrees of isogenies, in the sense that the degree of any isogeny in Q is equal to 
the norm of its corresponding ideal b in H. 

The graph H has an alternate description as a Cayley graph on the ideal class 
group Cl (O) of O. Indeed, each node of H is an ideal class of O, and two ideal 
classes [ai] and [ 02 ] are connected by an edge if and only if there exists a prime 
ideal b of norm < (log q) 2+f> such that [aib] = [ 02 ]- Therefore, the graph H (and 
hence the graph Q) is isomorphic to the Cayley graph of the group C1(0) with 
respect to the generators [b] £ C1(0), as b ranges over all prime ideals of O of 
norm < (logg) 2+l5 . 

Remark 2.1. The isogeny graph Q consists of objects defined over the finite field 
F g , whereas the objects in the graph H are defined over the number field L. 
One passes from H to Q by taking reductions mod and from Q to H by 
using Deuring’s Lifting Theorem [8,11,24]. There is no known polynomial time 
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or even subexponential time algorithm for computing the isomorphism between 
Q and H [11, §3]. For our purposes, such an explicit algorithm is not necessary, 
since we only use the complex analytic theory to prove abstract graph-theoretic 
properties of Q. 

Remark 2.2. The isogeny graph Q is typically a symmetric graph, since each 
isogeny <j) has a unique dual isogeny </> : E 2 — > -Ed of the same degree as 0 in the 
opposite direction [42, §111.6]. (From the viewpoint of H, an isogeny represented 
by an ideal bcO has its dual isogeny represented simply by the complex conju- 
gate 6.) However, the definition of equivalence of isogenies from [15] given in 2.1 
contains a subtle asymmetry which can sometimes render the graph Q asymmet- 
ric in the supersingular case (Appendix A). Namely, if Aut(Ei) is not equal to 
Aut(£? 2 ), then two isogenies E\ —> can sometimes be equivalent even when 
their dual isogenies are not. For ordinary elliptic curves within a common level, 
the equation End(£i) = End(E 2 ) automatically implies Aut(Ei) = Aut(E 2 ), 
so the graph Q is always symmetric in this case. Hence, we may regard Q as 
undirected and apply known results about undirected expander graphs (as in 
the following section) to Q. 


3 Expander Graphs 

Let G = (V,E) be a finite graph on h vertices V with undirected edges £. 
Suppose G is a regular graph of degree k, i.e., exactly k edges meet at each 
vertex. Given a labeling of the vertices V = {ui, . . . , Vh}, the adjacency matrix 
of G is the symmetric hxh matrix A whose ij- th entry A l3 = 1 if an edge exists 
between Vi and vj, and 0 otherwise. 

It is convenient to identify functions on V with vectors in via this labeling, 
and therefore also think of A as a self-adjoint operator on L 2 (V). All of the 
eigenvalues of A satisfy the bound |A| < k. Constant vectors are eigenfunctions 
of A with eigenvalue k, which for obvious reasons is called the trivial eigenvalue 
Atriv A family of such graphs G with h — *• oo is said to be a sequence of 
expander graphs if all other eigenvalues of their adjacency matrices are bounded 
away from A^. r j v = k by a fixed amount. 2 In particular, no other eigenvalue is 
equal to k: this implies the graph is connected. A Ramanujan graph [29] is a 
special type of expander which has |A| < 2 y/k — 1 for any nontrivial eigenvalue 
which is not equal to —k (this last possibility happens if and only if the graph 
is bipartite). The supersingular isogeny graphs in Appendix A are sometimes 
Ramanujan, while the ordinary isogeny graphs in Section 2.1 do not qualify, 
partly because their degree is not bounded. Nevertheless, they still share the most 
important properties of expanders as far as our applications are concerned. In 
particular their degree k grows slowly (as a polynomial in log |V|), and they share 
a qualitatively similar eigenvalue separation: instead the nontrivial eigenvalues A 

2 Expansion is usually phrased in terms of the number of neighbors of subsets of G, but 
the spectral condition here is equivalent for fc-regular graphs and also more useful 
for our purposes. 
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can be arranged to be 0(fc 1 / 2+£ ) for any desired value of e > 0. Since our goal is 
to establish a polynomial time reduction, this enlarged degree bound is natural, 
and in fact necessary for obtaining expanders from abelian Cayley graphs [1], 
Obtaining any nontrivial exponent (3 < 1 satisfying A = O(k^) is a key challenge 
for many applications, and accordingly we shall focus on a type of graphs we 
call “nearly Ramanujan” graphs: families of graphs whose nontrivial eigenvalues 
A satisfy that bound. 

A fundamental use of expanders is to prove the rapid mixing of the random 
walk on V along the edges £. The following rapid mixing result is standard but 
we present it below for convenience. For more information, see [5,28,40]. 

Proposition 3.1. Let G be a regular graph of degree k on h vertices. Suppose 
that the eigenvalue A of any nonconstant eigenvector satisfies the bound |A| < c 
for some c< k. Let S be any subset of the vertices of G, and x be any vertex in 
G. Then a random walk of any length at least — starting from x will 

land in S with probability at least ^ «= . 

Proof. There are k r random walks of length r starting from x. One would expect 
in a truly random situation that roughly ^-jpk r of these land in S. The lemma 
asserts that for r > Ios I og / 2/j, — at least half that number of walks in fact do. 
Denoting the characteristic functions of S and {x} as \s and X{x}> respectively, 
we count that 

# {walks of length r starting at x and landing in 5} = ( xs , A r 'x{x } ) , 

( 3 - 1 ) 

where •} denotes the inner product of functions in L 2 (V). We estimate this as 
follows. Write the orthogonal decompositions of xs and X{x} as 

Xs = y-1 and \{x} = (3.2) 

where 1 is the constant vector and (u, 1) = (w, 1) = 0. Then (3.1) equals the 
expected value of ^k r , plus the additional term ( u,A r w ), which is bounded by 
||u|| || A r tn||. Because 4» J_ 1 and the symmetric matrix A r has spectrum bounded 
by c r on the span of such vectors, 

!MIP r HI < #lilllMI < ° r llxsll llx { x } ll = c r |s , | 1/2 . (3.3) 

For our values of r this is at most half of ^ L k r , so indeed at least \'^-k r of the 
paths terminate in S as was required. 

In our application the quantities k, j^, and ^ will all be bounded by poly- 
nomials in log(/i). Under these hypotheses, the probability is at least 1/2 that 
some polylog(/i) trials of random walks of polylog(/i) length starting from x will 
reach S at least once. This mixing estimate is the source of our polynomial time 
random reducibility (Corollary 1.2). 
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4 Spectral Properties of the Isogeny Graph 

4.1 Navigating the Isogeny Graph 

Let Q be as in Section 2.1. The isogeny graph Q has exponentially many nodes 
and thus is too large to be stored. However, given a curve E and a prime £, it is 
possible to efficiently compute the curves which are connected to E by an isogeny 
of degree l. These curves E' have j-invariants which can be found by solving the 
modular polynomial relation $t{j{E),j{E')) = 0; the cost of this step is 0(£ :i ) 
field operations [11, 11.6]. Given the j-invariants, the isogenies themselves can 
then be obtained using the algorithms of [10] (or [26,27] when the characteristic 
of the field is small). In this way, it is possible to navigate the isogeny graph 
locally without computing the entire graph. We shall see that it suffices to have 
the degree of the isogenies in the graph be bounded by (log q) 2+6 to assure the 
Ramanujan properties required for Q to be an expander. 

4.2 ©-Functions and Graph Eigenvalues 

The graph H (and therefore also the isomorphic graph Q) has one node for each 
ideal class of O. Therefore, the total number of nodes in the graph Q is the ideal 
class number of the order O, and the vertices V can be identified with ideal class 
representatives {aq, . . . , cp,}. Using the isomorphism between Q and H, we see 
that the generating function Y^M ai ,<xj{ri)q n for degree n isogenies between the 
vertices cq and aj of Q is given by 

J2 M aitaj (n)q u ~ l Y, q X{z)/N(ai ' nj) , (4-1) 

71 = 1 zeaT 1 a j 

where e is the number of units in O (which always equals 2 for disc(O) > 4). The 
sum on the righthand side depends only on the ideal class of the fractional ideal 
a~ 1 aj-, by viewing the latter as a lattice in C, we see that N(z)/N(a^ 1 aj) is a 
quadratic form of discriminant D where D := disc(O) [4, p. 142]. That means this 
sum is a 0-series, accordingly denoted as 0 a -i a .(q)- It is a holomorphic modular 
form of weight 1 for the congruence subgroup To(ji3|) of SL( 2, Z), transforming 
according to the character (— ) (see [19, Theorem 10.9]). 

Before discussing exactly which degrees of isogenies to admit into our isogeny 
graph Q, let us first make some remarks about the simpler graph on V = 
{ai, . . . , a I,} whose edges represent isogenies of degree exactly equal to n. Its 
adjacency matrix is of course the h x h matrix M(n) = [M a4iCei (n)]^ 1<ij . </i j 
defined by series coefficients in (4.1). It can be naturally viewed as an operator 
which acts on functions on V = {«i, . . . , ah}, by identifying them with h-ve ctors 
according to this labeling. We will now simultaneously diagonalize all M(ri), or 
what amounts to the same, diagonalize the matrix A q = J2 n > l M(ri)q n for any 
value of q < 1 (where the sum converges absolutely). The primary reason this 
is possible is that for each fixed n this graph is an abelian Cayley graph on 
the ideal class group C1(0), with generating set equal to those classes a t which 
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represent an n-isogeny. The eigenfunctions of the adjacency matrix of an abelian 
Cayley graph are always given by characters of the group (viewed as functions 
on the graph), and their respective eigenvalues are sums of these characters over 
the generating set. This can be seen directly in our circumstance as follows. The 
ij - th entry of A q is ~9 a - i a . (q), which we recall depends only on the ideal class of 
the fractional ideal a^otj. If x is any character of 0(0), viewed as the h - vector 
whose i - th entry is x(a»)> then the i-tli entry of the vector A q x may be evaluated 
through matrix multiplication as 

(A q x)(ati) = i E °a i njMxiuj) = \ \ E J x{«i) , 

ajGCl (O) ' \a 3 eCl(e)) / 

(4.2) 

where in the last equality we have reindexed ctj i— > a, aj using the group struc- 
ture of 0(0). Therefore x is i n fact an eigenvector of the matrix eA q , with 
eigenvalue equal to the sum of 9 - functions enclosed in parentheses, known as 
a Hecke 6-function (see [19, §12]). These, which we shall denote 9 x (q), form a 
more natural basis of modular forms than the ideal class 0-functions 9 aj because 
they are in fact Hecke eigenforms. Using (4.1), the L- functions of these Hecke 
characters can be written as 


L( S ,x) = L(s,9 x ) 
where a„(x) 


E x(a)(JVa)- s = Ea n (x)n~ s , 

integral ideals aC K n= 1 

5Z x( a ) 


aC K 


(4.3) 

is in fact simply the eigenvalue of e M (n) for the eigenvector formed from the 
character x as above, which can be seen by isolating the coefficient of q n in the 
sum on the righthand side of (4.2). 


4.3 Eigenvalue Separation Under the Generalized Riemann 
Hypothesis 

Our isogeny graph is a superposition of the previous graphs M(ri), where n is a 
prime bounded by a parameter m (which we recall is (log q) 2+6 for some fixed 
6 > 0). This corresponds to a graph on the elliptic curves represented by ideal 
classes in an order 0 of K = Q(y/d), whose edges represent isogenies of prime 
degree < m. The graphs with adjacency matrices {M (p) \ p < rn} above share 
common eigenfunctions (the characters x of C1(0)), and so their eigenvalues are 

A x = \ Y, a p(x) = l E X(a)- (4.4) 

P<m p<m integral ideals a C K 

Na = p 

When x is the trivial character, A tr i v equals the degree of the regular graph Q. 
Since roughly half of rational primes p split in K, and those which do split into 
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two ideals of norm p, A tr iv is roughly 7T< ' r f ' l> ~ e u(l rn by the prime number theo- 
rem. This eigenvalue is always the largest in absolute value, as can be deduced 
from (4.4), because |x(a) | always equals 1 when x is the trivial character. For 
the polynomial mixing of the random walk in Theorem 1.1 we will require a 
separation between the trivial and nontrivial eigenvalues of size l/polylog(g). 
This would be the case, for example, if for each nontrivial character x there 
merely exists one ideal a of prime norm < m with Re x(a) < 1 — po \ y l >g ( q) ■ This 
is analogous to the problem of finding a small prime nonresidue modulo, say, 
a large prime Q, where one merely needs to find any cancellation at all in the 
character sum J2 p < m (§)• However, the latter requires a strong assumption from 
analytic number theory, such as the Generalized Riemann Hypothesis (GRH). 
In the next section we will accordingly derive such bounds for A x , under the 
assumption of GRH. As a consequence of the more general Lemma 5.3 we will 
show the following. 

Lemma 4.1. Let D < 0 and let O be the quadratic order of discriminant D. 
If x is a nontrivial ideal class character of O, then the Generalized Riemann 
Hypothesis for L(s, x) implies that the sum (4-4 ) bounded by 0(m d/ 2 log \mD\) 
with an absolute implied constant. 

Proof (of Theorem 1.1). There are only finitely many levels for q less than any 
given bound, so it suffices to prove the theorem for q large and p(x) = x 2+s , 
where 6 > 0 is fixed. The eigenvalues of the adjacency matrix for a given level are 
given by (4.4). Recall that \D\ < 4 q and Aj- r j v ~ e| ™ m . With our choice of to = 
p(logQ'), the bound for the nontrivial eigenvalues in Lemma 4.1 is A x = 0(Af riv ) 
for any /3 > \ + That means indeed our isogeny graphs are expanders for q 
large; the random walk assertion follows from this bound and Proposition 3.1. 

Proof (of Corollary 1.2). The Theorem shows that a random walk from any 
fixed curve E probabilistically reaches the proportion where the algorithm A 
succeeds, in at most polylog(g) steps. Since each step is a low degree isogeny, 
their composition can be computed in polylog(g) steps. Even though the degree 
of this isogeny might be large, the degrees of each step are small. This provides 
the random polynomial time reduction of DLOG along successive curves in the 
random walk, and hence from E to a curve for which the algorithm A succeeds. 

5 The Prime Number Theorem for Modular Form 
^-Functions 

In this section we prove Lemma 4.1, assuming the Generalized Riemann Hy- 
pothesis (GRH) for the L- functions (4.3). Our argument is more general, and 
in fact gives estimates for sums of the form J2 P < m a pi where a p are the prime 
coefficients of any L- function. This can be thought of as an analog of the Prime 
Number Theorem because for the simplest L-function, £(s), a p = 1 and this 
sum is in fact exactly 7r(m). As a compromise between readability and general- 
ity, we will restrict the presentation here to the case of modular form L- functions 
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(including (4.3)). Background references for this section include [19,20,35]; for 
information about more general L- functions see also [14, 39] . 

We shall now consider a classical holomorphic modular form /, with Fourier 
expansion f(z) = J2T=a Cn e 2mnz . We will assume that / is a Hecke eigenform, 
since this condition is met in the situation of Lemma 4.1 (see the comments 
between (4.2) and (4.3)). It is natural to study the renormalized coefficients 
= n - ( fc-1 )/ 2 c n , where k > 1 is the weight of / (in Section 4.2 k = 1, so 
a n = Cn)- The L- function of such a modular form can be written as the Dirichlet 
series L(s,f ) = X^Li a nn~ s = flp (1 -a p p -s ) -1 (l-/3 p p -s ) -1 , the last equality 
using the fact that / is a Hecke eigenform. The L- function L(s, /) is entire when 
/ is a cusp form (e.g. ao = 0). The Ramanujan conjecture (in this case a theorem 
of [6] and [7]) asserts that \a p \, \/3 p \ < 1. 

Lemma 4.1 is concerned with estimates for the sums 

S(m,f) := ]T a p . (5.1) 

p<m 

As with the prime number theorem, it is more convenient to instead analyze the 
weighted sum 

#*b/) := V l°gP ( 5 - 2 ) 

p k 

over prime powers, where the coefficients b n are those appearing in the Dirichlet 
series for — ^(s): 

= E b «M**)n- 8 = V i °g(p)p~ ks . 

he., b pk = a k p + /?£. 

Lemma 5.1. For a holomorphic modular form f one has 
^ a p logp + (^(to 1 / 2 ). 


Proof. The error term represents the contribution of proper prime powers. Since 
\b p k\ < 2, it is bounded by twice 


l °sp 


X] lo SP < Xj l0gP “ 7r(ni 1/2 ) log TO , 

2<fc< 


which is Ofm 1 ! 2 ) by the Prime Number Theorem. 


(5.3) 


Lemma 5.2. (Iwaniec [20, p. 114],) Assume that f is a holomorphic modu- 
lar cusp form of level ? N and that L(s, f) satisfies GRH. Then ip(m, f) = 
0{m 1/2 log (to) log(mAO). 

3 Actually in [20] N equals the conductor of the L-function, which in general may be 
smaller than the level. The lemma is of course nevertheless valid. 
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We deduce that S'(m,f) := J2 P <m a p^°&P = 0(m 1 / 2 log(m)log(mN)). Fi- 
nally we shall estimate the sums S\m,f) from (5.1) by removing the log (to) 
using a standard partial summation argument. 

Lemma 5.3. Suppose that f is a holomorphic modular cusp form of level N 
and L(s,f) satisfies GRH. Then S(m,f) = 0{m 1 / 2 \og{m,N)). 


Proof. First define a p to be a p , if p is prime, and 0 otherwise. Then 


By partial summation over 2 < n < m, we then find 


S’(m,f) 
log m 


■C ^2 (n 1 / 2 log(n) log(nAf)^ |^-((logn) 1 )| + m 1 / 2 log(mlV) 
-C ^2 log(n) log(nA^) ^ log(rnAf) , 


so in fact S(m,f ) = J2 p < m a p = Olmf! 2 log^Af)). 

All the implied constants in these 3 lemmas are absolute. Some useful esti- 
mates for them may be found in [2]. 


5.1 Subexponential Reductions Via Lindelof Hypothesis 

In the previous lemma we have assumed GRH. It seems very difficult to get 
a corresponding unconditional bound for S(m,f). However, a slightly weaker 
statement can be proven by assuming only the Lindelof hypothesis (which is a 
consequence of GRH). Namely, one has that J2 n < m a '<- = O e {rn l / 2+e N e ), for 
any £ > 0 ([19, (5.61)]). The fact that this last sum is over all n < m, not just 
primes, is not of crucial importance for our application. However, the significant 
difference here is that the dependence on N is not polynomial in log N, but 
merely subexponential. This observation can be used to weaken the hypothesis 
in Theorem 1.1 and Corollary 1.2 from GRH to the Lindelof hypothesis, at the 
expense of replacing “polynomial” by “subexponential.” 

6 Distribution of c „ 

Theorem 1.1 and Corollary 1.2 are statements about individual levels. As we 
mentioned in Section 1.1, our random reducibility result extends between two 
levels as long as the levels satisfy the requirement that their conductors differ by 
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polynomially smooth amounts. In this section we explore this extension in more 
detail, and explain why the above requirement is typically satisfied. 

It was mentioned after Theorem 2.2 that the largest possible conductor differ- 
ence is c, r, which is the largest square factor of d v = Trace(A) 2 — 4 q. In principle 
this factor could be as large as 2^/q, though statistically speaking most integers 
(a proportion of ^ « .61) are square-free, explaining why c, r is very often 1 or 
at least fairly small [44]. This means, for example, that most randomly selected 
elliptic curves have an isogeny class consisting of only one level. 

When an isogeny class consists of multiple levels, we need to be able to con- 
struct vertical isogenies between levels in order to conclude that dlog instances 
between the levels are randomly reducible to each other. The fastest known al- 
gorithm for constructing vertical isogenies between two levels, due to Kohel [23], 
has runtime 0(£ 4 ), where £ is the largest prime dividing the conductor of one 
of the levels, but not the other. Any two levels which can be efficiently bridged 
via Kohel’s algorithm can be considered as one unit for the purposes of random 
reducibility. Accordingly, polynomial time random reducibility holds within an 
isogeny class if c w for that isogeny class is polynomially smooth. 

With this in mind, we will now determine a heuristic estimate for the expected 
size of the largest prime factor P(c w ) of c n , i.e., the largest prime which divides 
d 7 r to order at least 2. The trace t = Trace (A), when sampled over random 
elliptic curves, is thought to have a fairly uniform distribution over most of the 
Hasse interval. This serves to predict the useful heuristic that — d v = 4g — t 2 is 
typically of size q (see for example [25,41]). Assuming that, the probability that 
P(c 7r ) exceeds (3 can be loosely estimated as 0( 1//3). This is because roughly 
a fraction of p = n^> p (l — P~ 2 ) integers of size q have no repeated prime 
factor p > (3. It is easy to see that log(p) = 0(J2 n>/3 n~ 2 ) = 0(1//?), so that 
1 — p = 0(1//?) as suggested. 

It follows that a randomly selected elliptic curve is extremely likely to have 
a small enough value of P(c , r ) to allow for random reducibility throughout its 
entire isogeny class. This explains why in Figure 1 all of the randomly generated 
curves have P(c w ) = 1, except for one curve which has P(c w ) = 3. 

Finally, let us consider the situation where a non-random curve is deliberately 
selected so as to have a large value of c OT . Currently the only known methods for 
constructing such curves is to use complex multiplication methods [3, Ch. VIII] 
to construct curves with a predetermined number of points chosen to ensure that 
c, r is almost as large as y/d^. Some convenient examples of such curves are the 
Koblitz curves listed in the NIST FIPS 186-2 document [36], which we have also 
tabulated in Figure 1. Since these curves all have complex multiplication by the 
field K = Q(y/—7), the discriminants of these curves are of the form d v = —7c 2 . 
If we assume that c n behaves as a random integer of size \/d^, which is roughly 
^/q, then the distribution of P(c n ) is governed by the usual smoothness bounds 
for large integers [44], and hence is typically too large to permit efficient ap- 
plication of Kohel’s algorithm for navigating between levels. Thus we cannot 
prove random reducibility from a theoretical standpoint for all of the elliptic 
curves within the isogeny class S^.q of such a specially constructed curve. How- 
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ever, in practice only a small subset of the elliptic curves in 5jv, g are efficiently 
constructible using the complex multiplication method (or any other presently 
known method), and this subset coincides exactly with the subcollection of lev- 
els in Sjv, g which are accessible from the top level (where End (IS) = Ok) using 
Kohel’s algorithm. Pending future developments, it therefore remains true that 
all of the special curves that we can construct within an isogeny class have 
equivalent dlog problems in the random reducible sense. 
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A Supersingular Case 

In this appendix we discuss the isogeny graphs for supersingular elliptic curves 
and prove Theorem 1.1 in this setting. The isogeny graphs were first considered 
by Mestre [33], and were shown by Pizer [37,38] to have the Ramanujan property. 
Curiously, the actual graphs were first described by Ihara [18] in 1965, but not 
noticed to be examples of expander graphs until much later. We have decided 
to give an account here for completeness, mainly following Pizer’s arguments. 
The isogeny graphs we will present here differ from those in the ordinary case in 
that they are directed. This will cause no serious practical consequences, because 
one can arrange that only a bounded number of edges in these graphs will be 
unaccompanied by a reverse edge. Also, the implication about rapid mixing 
used for Theorem 1.1 carries over as well in the directed setting with almost 
no modification. It is instructive to compare the proofs for the ordinary and 
supersingular cases, in order to see how GRH plays a role analogous to the 
Ramanujan conjectures. 

Every F g -isomorphism class of supersingular elliptic curves in characteristic 
p is defined over either F p or F p 2 [42], so it suffices to fix F g = F p 2 as the field 
of definition for this discussion. Thus, in contrast to ordinary curves, there is a 
finite bound g on the number of isomorphism classes that can belong to any given 
isogeny class (this bound is in fact the genus of the modular curve X 0 (p), which 
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is roughly 2±1). It turns out that all isomorphism classes of supersingular curves 
defined over ¥ p 2 belong to the same isogeny class [33]. Because the number of 
supersingular curves up to isomorphism is so much smaller than the number of 
ordinary curves up to isomorphism, correspondingly fewer of the edges need to 
be included in order to form a Ramanujan graph. For a fixed prime value of 
£ ^ p, we define the vertices of the supersingular isogeny graph Q to consist of 
these g isomorphism classes, with directed edges indexed by equivalence classes 
of degree-^ isogenies as defined below. In fact, we will prove that Q is a directed 
k = £+ 1-regular graph satisfying the Ramanujan bound of |A| < 2 s/l = 2 \Jk — 1 
for the nontrivial eigenvalues of its adjacency matrix. The degree £ in particular 
may be taken to be as small as 2 or 3. 

For the definition of the equivalence classes of isogenies — as well as later 
for the proofs — we now need to recall the structure of the endomorphism rings 
of supersingular elliptic curves. In contrast to the ordinary setting (Section 2), 
the endomorphism ring End(-E) is a maximal order in the quaternion algebra 
R = Q p ,oo ramified at p and oo. Moreover, isomorphism classes of supersingular 
curves Ei isogenous to E are in 1-1 correspondence with the left ideal classes 
Ii := Horn(Fj, E) of R. As in Section 2.1, call two isogenies fa, fa: Ei —> Ej 
equivalent if there exists an automorphism a of Ej such that fa = afa. Under 
this relation, the set of equivalence classes of isogenies from Ei to Ej is equal to 
IJ 1 Ii modulo the units of I v This correspondence is degree preserving, in the 
sense that the degree of an isogeny equals the reduced norm of the corresponding 
element in I” 1 /*, normalized by the norm of IJ 1 itself. This is the notion of 
equivalence class of isogenies referred to in the definition of Q in the previous 
paragraph. Thus, for any integer n, the generating function for the number 
Mij(n) of equivalence classes of degree n isogenies from E, to Ej (i.e., the number 
of edges between vertices representing elliptic curves Ei and Ej) is given by 

turn* ■■= b £ s'™'.-'", (A.i) 

71=0 3 aeir'u 

where ej is the number of units in Ij (equivalently, the number of automorphisms 
of Ej). One knows that ej <6, and in fact ej = 2 except for at most two values of 
j - see the further remarks at the end of this appendix. Proofs for the statements 
in this paragraph can be found in [15,38]. 

The 0-series on the righthand side of (A.I) is a weight 2 modular form for the 
congruence subgroup ro(p), and the matrices 

/ Mn(n) ■ ■ ■ M lg {n) 

«(»):= ; •. ; 

\Mgl(n) ■■■ M gg (n) 

(called Brandt matrices) are simultaneously both the n-th Fourier coefficients 
of various modular forms, as well the adjacency matrices for the graph Q. A 
fundamental property of the Brandt matrices B(n) is that they represent the 
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action of the n th Hecke operator T(n) on a certain basis of modular forms of 
weight 2 for -T 0 (p) (see [37]). Thus the eigenvalues of B(n) are given by the n th 
coefficients of the weight-2 Hecke eigenforms for To (p) . These eigenforms include 
a single Eisenstein series, with the rest being cusp forms. Now we suppose that 
n = l is prime (mainly in order to simplify the following statements). The n th 
Hecke eigenvalue of the Eisenstein series is n+ 1, while those of the cusp forms are 
bounded in absolute value by 2 y/n according to the Ramanujan conjectures (in 
this case a theorem of Eichler [9] and Igusa [17]). Thus the adjacency matrix of Q 
has trivial eigenvalue equal to £+ 1 (the degree k), and its nontrivial eigenvalues 
indeed satisfy the Ramanujan bound |A| < 2 \Jk — 1. 

Finally, we conclude with some comments about the potential asymmetry of 
the matrix B(n). This is due to the asymmetry in the definition of equivalence 
classes of isogenies. Indeed, if Aut(Ei) and Aut(E 2 ) are different, then two iso- 
genies Ei — > E 2 can sometimes be equivalent even when their dual isogenies 
are not equivalent. This problem arises only if one of the curves Ei has com- 
plex multiplication by either T or e 27rt / 3 , since otherwise the only possible 
automorphisms of Ei are the scalar multiplication maps ±1 [42, §111.10]. In the 
supersingular setting, one can avoid curves with such unusually rich automor- 
phism groups by choosing a characteristic p which splits in both Z[\f—V\ and 
Z[e 27 ”/ 3 ], i.e., p = 1 mod 12 (see [37, Prop. 4.6]). In the case of ordinary curves, 
however, the quadratic orders Z[ v / — I] and Z[e 27ri / 3 ] both have class number 1, 
which then renders the issue moot because the isogeny graphs corresponding to 
these levels each have only one node. 
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Abstract. Cryptosystems based on the knapsack problem were among 
the first public-key systems to be invented. Their high encryption/ 
decryption rate attracted considerable interest until it was noticed that 
the underlying knapsacks often had a low density, which made them 
vulnerable to lattice attacks, both in theory and practice. To prevent 
low-density attacks, several designers found a subtle way to increase 
the density beyond the critical density by decreasing the weight of the 
knapsack, and possibly allowing non-binary coefficients. This approach 
is actually a bit misleading: we show that low-weight knapsacks do not 
prevent efficient reductions to lattice problems like the shortest vector 
problem, they even make reductions more likely. To measure the resis- 
tance of low-weight knapsacks, we introduce the novel notion of pseudo- 
density, and we apply the new notion to the Okamoto-Tanaka-Uchiyama 
(OTU) cryptosystem from Crypto ’00. We do not claim to break OTU 
and we actually believe that this system may be secure with an appro- 
priate choice of the parameters. However, our research indicates that, 
in its current form, OTU cannot be supported by an argument based 
on density. Our results also explain why Schnorr and Horner were able 
to solve at Eurocrypt ’95 certain high-density knapsacks related to the 
Chor-Rivest cryptosystem, using lattice reduction. 

Keywords: Knapsack, Subset Sum, Lattices, Public-Key Cryptanalysis. 

1 Introduction 

The knapsack (or subset sum) problem is the following: givenaset {ai,a 2 ,. . . ,a n } 
of positive integers and a sum s = m i a ii where each m; £ {0, 1}, recover 
the TOj’s. On the one hand, it is well-known that this problem is NP-hard, and 
accordingly it is considered to be hard in the worst case. On the other hand, 
some knapsacks are very easy to solve, such as when the cq’s are the successive 
powers of two, in which case the problem is to find the binary decomposition 
of s. This inspired many public-key cryptosystems in the eighties, following the 
seminal work of Merkle and Heilman [10]: 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 41-58, 2005. 
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The Public Key: a set of positive integers {ai, a 2 , . . . , a n }. 

The Private Key: a method to transform the presumed hard public knapsack 
into an easy knapsack. 

Encryption: a message m = {mi, m 2 , ■ ■ ■ , m n ) £ {0,1}" is enciphered into 

S = Yi= 1 m i a i- 

However, with the noticeable exception of the Okamoto-Tanaka-Uchiyama 
(OTU) quantum knapsack cryptosystem from Crypto ’00 [19] , all proposed knap- 
sack schemes have been broken (see the survey by Odlyzko [18]), either because 
of the special structure of the public key (like in [16,22]) leading to key-recovery 
attacks, or because of the so-called low-density attacks [6,3] which allow to de- 
crypt ciphertexts. 

The density of the knapsack is defined as d=n/log 2 A where A = maxi<j<„ a*. 
The density cannot be too high, otherwise encryption would not be injective. 
Indeed, any subset sum s = YJi-i m; a* lies in [0, nA ] , while there are 2" ways to 
select the rrij’s: if 2” > nA, that is, d> n/{n— log 2 n), there must be a collision 
Y \ Li niiCi, = Ya= 1 m i a i! O n the other hand, when the density is too low, there 
is a very efficient reduction from the knapsack problem to the lattice shortest 
vector problem (SVP): namely, Coster et al. [3] showed that if d < 0.9408... 
(improving the earlier bound 0.6463 ... by Lagarias-Odlyzko [6]), and if the aq’s 
are chosen uniformly at random over [0,-4], then the knapsack problem can be 
solved with high probability with a single call to a SVP-oracle in dimension 
n. In practical terms, this means that n must be rather large to avoid lattice 
attacks (see the survey [17]): despite their NP-hardness, SVP and other lattice 
problems seem to be experimentally solvable up to moderate dimension. This 
is why several articles (e.g. [6,3,1,14]) study efficient provable reductions from 
problems of cryptographic interest to lattice problems such as SVP or the lattice 
closest vector problem (CVP). 

To thwart low-density attacks, several knapsack cryptosytems like Chor- 
Rivest [2], Qu-Vanstone [16], Okamoto-Tanaka-Uchiyama [19] use in their en- 
cryption process a low-weight knapsack instead of a random knapsack: r = 
Yi—i m i * s much smaller than n/2, namely sublinear in n. This means that 
the message space is no longer {0, 1}", but a subset with a special structure, 
such as the elements of {0,1}" with Hamming weight k, in the case of Chor- 
Rivest [2] or OTU [19]. Alternatively, it was noticed by Lenstra in [7] that such 
schemes still work with more general knapsacks where the coefficients are not 
necessarily 0 or 1: this leads to the powerline encoding where the plaintexts are 
the elements {mi , . . . , m n ) £ N" such that Yn=i = where again k is much 
less than n/2. With such choices, it becomes possible to decrease the bit-length 
of the aj’s so as to increase the density d beyond the critical density: a general 
subset sum s = Yi= 1 rn i a i may then have several solutions, but one is able to 
detect the correct one because of its special structure. It was claimed that such 
knapsack schemes would resist lattice attacks. 

Our Results. In this article, we show that low-weight knapsacks are still prone 
to lattice attacks in theory. Extending earlier work of [6,3,20], we provide a gen- 
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eral framework to study provable reductions from the knapsack problem to two 
well-known lattice problems: the shortest vector problem (SVP) and the closest 
vector problem (CVP). The framework relates in a simple manner the success 
probability of the reductions to the number of integer points in certain high- 
dimensional spheres, so that the existence of reductions can be assessed based 
only on combinatorial arguments, without playing directly with lattices. We no- 
tice that this number of integer points can be computed numerically for any 
realistic choice of knapsacks, which makes it possible to analyze the resistance 
of any concrete choice of parameters for low- weight knapsack cryptosystems, 
which we illustrate on the Chor-Rivest cryptosystem. We also provide a simple 
asymptotic bound on the number of integer points to analyze the theoretical 
resistance of low-weight knapsack cryptosystems. Mazo and Odlyzko [9] earlier 
gave sharp bounds in certain cases which are well-suited to usual knapsacks, 
but not to low-weight knapsacks. As a result, we introduce the so-called pseudo- 
density k = r log 2 nj log 2 A (where r = J27=i m i) to measure the resistance 
of low-weight knapsacks to lattice attacks: if k is sufficiently low, we estab- 
lish provable reductions to SVP and CVP. This shows that the security of the 
Okamoto-Tanaka-Uchiyama cryptosystem [19] from Crypto ’00 cannot be based 
on a density argument because its pseudo-density is too low: like NTRU [4] , the 
security requires the hardness of lattice problems. However, we do not claim to 
break OTU, and we actually believe that this system may be secure with an 
appropriate choice of the parameters, due to the gap between lattice oracles and 
existing lattice reduction algorithms, when the lattice dimension is sufficiently 
high. Our work shows that the density alone is not sufficient to measure the 
resistance to lattice attacks: one must also take into account the weight of the 
solution, which is what the pseudo-density does. 

Related Work. Omura and Tanaka [20] showed that the Lagarias-Odlyzko 
reduction [6] could still apply to practical instantiations of the Chor-Rivest and 
Okamoto-Tanaka-Uchiyama schemes with binary encoding. However, they relied 
on the counting techniques of Mazo and Odlyzko [9] which are not tailored to 
low-weight knapsacks. Hence, they could analyze numerically the resistance of 
any concrete choice of the parameters, but the asymptotical behaviour was not 
clear. As a result, it was left open to define an analogue of density to low-weight 
knapsacks, and it was unknown whether or not the reduction could still work 
when plaintexts were non-binary strings such as in the powerline encoding. Our 
work shows that more general encodings like the powerline encoding do not rule 
out lattice attacks either. 

Road map. The paper is organized as follows. In Section 2 we provide necessary 
background on lattices and the number of integer points in high-dimensional 
spheres. We study reductions from knapsacks to the closest lattice vector problem 
(CVP) in Section 3, in the case of binary knapsacks and low-weight knapsacks. 
We then extend those reductions to the shortest lattice vector problem (SVP) in 
Section 4. We apply our results to the OTU cryptosystem in Section 5, and to 
the Chor-Rivest cryptosystem in Section 6. Finally, we discuss the significance 
of our results on the security of low-weight knapsack cryptosystems in Section 7. 
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2 Background 

2.1 Lattices 

Let ||.|| and (., .} be the Euclidean norm and inner product of IE”. We refer to 
the survey [17] for a bibliography on lattices. In this paper, by the term lattice, 
we actually mean an integral lattice. An integral lattice is a subgroup of (Z n , +), 
that is, a non-empty subset L of Z" which is stable by subtraction: x — y £ L 
whenever (x, y) £ L 2 . The simplest lattice is Z”. It turns out that in any lattice 
L, not just Z", there must exist linearly independent vectors bi , . . . , b,/ e L such 
that: 

Any such d-tuple of vectors bi, . . . ,b<j is called a basis of L: a lattice can be 
represented by a basis, that is, a matrix. Conversely, if one considers d integral 
vectors bi, . . . ,bd £ Z n , the previous set of all integral linear combinations of 
the bj’s is a subgroup of Z”, and therefore a lattice. 

The dimension of a lattice L is the dimension d of the linear span of L. Since 
our lattices are subsets of Z n , they must have a shortest nonzero vector: In any 
lattice L C Z”, there is at least one nonzero vector v € L such that no other 
nonzero lattice vector has a Euclidean norm strictly smaller than that of v. 
Finding such a vector v from an arbitrary basis of L is called the shortest vector 
problem (SVP). Another famous lattice problem is the closest vector problem 
(CVP): given a basis of L C Z n and a point t £ Q”, find a lattice vector w £ L 
minimizing the Euclidean norm of w — t. 

It is well-known that as the dimension increases, CVP is NP-hard and SVP 
is NP-hard under randomized reductions (see [17,12] for a list of complexity 
references). However, in practice, the best lattice reduction algorithms give good 
results up to moderate dimension: we will discuss this issue in Section 7. This 
is why it is interesting to study the solvability of various algorithmic problems, 
when one is given access to a SVP-oracle or a CVP-oracle in moderate dimension. 
We will call the oracles only once. 

2.2 Lattice Points in High-Dimensional Spheres 

Following [1,9], we denote by N(n,r) the number of integer points in the n- 
dimensional sphere of radius y/r centered at the origin: that is, N(n, r) is the 
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number of (xj , . . . ,x n ) € Z" such that ]T"=i xf < r. Clearly, we have the fol- 
lowing induction formula (which was also given in the full version of [1]): 

! 1 if n = 0 and r > 0, 

0 if n = 0 and r < 0, 

E‘t!UjJV(n-l,r-j 2 ) if n > 0. 

This allows to compute N(n,r) numerically when n and r are not too large, 
since the running time is clearly polynomial in ( n,r ). 

When n grows to infinity, sharp estimates of N (n, r) are known when r is 
proportional to n (see [9]), in which case N(n,r) is exponential in n. Two par- 
ticular cases are interesting for the knapsack problem: the techniques of Mazo 
and Odlyzko [9] show that N(n,n/ 2) < 2 c ° n and N(n,n/ 4) < 2 Cl " where 
(co,ci) = (1.54724 ..., 1.0628 .. .). Note that 1/co = 0.6463... is the critical 
density of the Lagarias-Odlyzko attack [6], while 1/ci = 0.9409 ... is the critical 
density of the attack of Coster et al. [3] . These techniques are very useful when 
the ratio r/n is fixed and known, but less so for more general choices of n and r. 

For low-weight knapsacks, we need to upper bound N(n,r) when r is sub- 
linear in n, in which case the techniques of Mazo and Odlyzko [9] do not seem 
well-suited. We will use instead the following simple bound: 

Lemma 1. For all n,r > 0: 


N(n,r) < 2 r \ 


Proof. Any vector counted by N(n, r) has at most r non-zero coordinates. There- 
fore, it suffices to bound the number of integer points with positive coordinates, 
and to multiply by 2 r to take sign into account. To conclude, the number of in- 
teger points with positive coordinates and norm less than sjr is clearly bounded 
by the number K r n of combinations of r elements among n with repetition. And 
it is well-known that K!f = ( n+ ^ _1 ). □ 

Corollary 1 . For all n,r> 0: 


N(n,r) < 


2r e r(r-l)/(2n) n r 


Proof. It suffices to prove that r! ( n+ (! 1 )/n r <e r ( r 1 )/( 2 "). We have: 

+ ,. r _ (n + r— l)(„ + r — 2). ••(.— !) 




It follows that if both n and r grow to infinity with a sublinear r = o(n), then 
N(n,r) = o(n r ) by Stirling’s estimate. 
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3 Reducing Knapsacks to the Closest Vector Problem 

In this section, we provide a general framework to reduce the knapsack problem 
to the closest vector problem. This allows us to easily study the case of low- 
weight knapsacks, which arguably simplifies the approach of [20] based on [6]. 
The earlier work [6,3] only considered reductions to the shortest vector problem, 
but we start with the closest vector problem because it is simpler to understand, 
and it gives slightly stronger reductions. We will later adapt those results to the 
shortest vector problem. 

We will distinguish two types of knapsacks. The binary knapsack problem is 
the original knapsack problem: given a set {ai, a 2 , . . . , a n } of positive integers 
and a sum s = TO * a *> where each m* e {0, 1}, recover the m*’ s. Because 
of the powerline encoding, we will also be interested in a more general knapsack 
problem with non-binary coefficients, which we call the low-weight knapsack 
problem: given a set {ai, ■ ■ ■ , a n } of positive integers and a linear combination 
s = Y^i= l m i a ii where each m, € Z and r = TO f is small, recover the m,’s. 

The case r = o(n) is of particular interest. 

3.1 A General Framework 

Solving the knapsack problem amounts to finding a small solution of an inho- 
mogeneous linear equation, which can be viewed as a closest vector problem 
in a natural way, by considering the corresponding homogeneous linear equa- 
tion, together with an arbitrary solution of the inhomogeneous equation. Let 
s =s i m i a i be a subset sum, where each m* e {0, 1}. 

The link between knapsacks and lattices comes from the homogeneous linear 
equation. Consider indeed the set L of all integer solutions to the homogeneous 
equation, that is, L is the set of vectors (zi, . . . , z n ) e Z" such that: 

ziai -\ 1- z n a n = 0. (1) 

The set L is clearly a subgroup of Z n and is therefore a lattice. Its dimension is 
n — 1. It is well-known that a basis of L can be computed in polynomial time 
from the dj’s (see e.g. [16] for one way to do so). 

Using an extended gcd algorithm, one can compute in polynomial time inte- 
gers y \ , . . . , y n such that 

* = !>*■ ( 2 ) 

i=i 

The yi s form an arbitrary solution of the inhomogenous equation. Now the 
vector v = (y-i — rrii , . y n — m n ) belongs to L. And this lattice vector is fairly 

close to the vector ti = (tq , y n ) as the coordinates of the difference are the 

mj’s. The main idea is that by finding the closest vector to ti in the lattice L, 
one may perhaps recover v and hence the mj’s. The success probability of our 
reductions will depend in a simple manner on the number of integer points in 
high-dimensional spheres. 
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3.2 Binary Knapsacks 

In the case of binary knapsacks, the distance between ti and v is roughly 
y/n/ 2. But because m* £ {0,1}, the lattice vector v is even closer to the vector 
t 2 = (lj\ ~ 1 /2, .... y n ~ 1/2) for which the distance is exactly \JnjA. It is this 
simple fact which explains the difference of critical density between the Lagarias- 
Odlyzko reduction [6] and the reduction by Coster et al. [3] . The following results 
are straightforward: 

Lemma 2. In the case of binary knapsacks, we have: 

1. v is a closest vector to t 2 in the lattice L. 

2. Ifw' is a closest vector to t 2 in L, then ||v' — t 2 1| = y/n/A and v' is of the 
form v' = (yi — m [, . . . , y n — ml n ) where s = £" =1 m [a t and m} £ {0, 1}. 

Proof. The key observation is that elements of the lattice have integer coordi- 
nates and that each coordinate contributes to the distance to t 2 by at least 1/2. 

□ 

This gives a deterministic polynomial-time reduction from the binary knapsack 
problem to the closest vector problem (CVP) in a lattice of dimension n — 1 : 
this reduction was sketched in the survey [17], and can be viewed as a variant 
of an earlier reduction by Micciancio [11], who used a different lattice whose 
dimension was n, instead of n — 1 here. 

Thus, a single call to a CVP-oracle in an (n — l)-dimensional lattice auto- 
matically gives us a solution to the binary knapsack problem, independently of 
the value of the knapsack density, but this solution may not be the one we are 
looking for, unless the unicity of the solution is guaranteed. One particular case 
for which the unicity is guaranteed is Merkle-Hellman: more generally, for any 
traditional knapsack cryptosystem such that the set of plaintexts is the whole 
{0, 1}" without decryption failures, a single call to a CVP-oracle is sufficient to 
decrypt. 

It is nevertheless interesting to know when one can guarantee the unicity of 
the solution for general knapsacks. But if for instance some a* is a subset sum 
of other a/s where j £ J, then clearly, all knapsacks involving only a* and a/s 
where l £ J may also be decomposed differently using the a/s where j £ J. 
This means that to guarantee unicity of solutions in a general knapsack, we may 
only hope for probabilistic statements, by considering random knapsacks where 
the a/s are assumed to be chosen uniformly at random in [0, A]: 

Theorem 1. Let (mi, . . . , m n ) £ {0,1}”. Let a\,...,a n be chosen uniformly 
and independently at random in [0,A]. Let s = Y^i=i m i a i- Let L and the y/s 
be defined by (1) and (2). Let c be a vector in L closest to the vector t 2 = ( yi — 
1/2, . . . , y n — 1/2). Then the probability that c is not equal to (yi — mi, . . . , y n — 
m n ) is less than (2” — 1 )/A. 

Proof By Lemma 2, c is of the form c = (y\ — to}, . . . , y n — m' n ) where s = 
£”=i fn\ai and to} £ {0, 1}. If c is not equal to (yi — mi, . . . ,y n — m n ), then 
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m' = (m'i, . . . ,m'„) 7^ m = (mi, . . . ,m n ). But: 

— m')aq = 0. (3) 

Since m -fi m', there exists to such that m,; 0 7 ^ to' o . For any choice of 
there exists a unique choice of a io satisfying (3), since rn iQ — m' o = ±1. It follows 
that for a given m' / m, the probability that (y-j — , . . . , y n — to/) is equal 

to c is less than 1/A. We conclude since the number of m' is 2” — 1. □ 

This shows that when the density d = n/ log 2 A is < 1, there is with high 
probability a unique solution, and this solution can be obtained by a single call 
to a CVP-oracle in dimension n — 1 . 


3.3 Low- Weight Knapsacks 

We showed that the hidden vector vei related to the knapsack solution was 
relatively close to two target vectors fy and t2- In fact, v was a lattice vector 
closest to t2: the distance was fyn/l. In the general binary case, this was better 
than ti for which the distance was expected to be yJn/2, provided that the 
Hamming weight of the knapsack was roughly n/2. But if the Hamming weight 
k is much smaller than n/2, then the distance between m and ti is only y/k, 
which is much less than y/n/ 4. We obtain the following general result regarding 
low- weight knapsacks (not necessarily binary): 

Theorem 2. Let m = (mi, . . . ,m n ) £ Z”. Let ai, . . . ,a n be chosen uniformly 
and independently at random in [0,A]. Let s = Ld L and the yi’s 

be defined by (1) and(2). Let c be a vector in L closest to the vector ti = 

(yi , y n ). Then the probability that c is not equal to {yi — m\, ... ,y n — m n ) 

is less than N(n, ||m|| 2 ) /^4- 

Proof. By definition, c is of the form c = (t/i — m\ .... .y n — m' n ) where s = 
fPjj-i m i a i and m' £ Z. Let m' = (m [, . . . , to/). Because c cannot be farther 
from ti than v, ||m'|| < ||m||. If c is not equal to (yi — mi , ... ,y n — m n ), then 
m' 7^ m — (mi, . . . , m n ): there exists to such that rrq 0 7^ m' Q . For any choice of 
{ a i)ijH 0 - there exists at most one choice of aj 0 satisfying (3). It follows that for a 
given m' / m, the probability that (yi — to) , . . . , y n — to/) is the closest vector 
is less than 1/A. We conclude since the number of m' is less than N(n, ||m|| 2 ), 
as ||m'|| < ||m||. □ 

Note that N(n, || m|| 2 ) can be evaluated numerically from Section 2.2, so that 
one can bound the failure probability for any given choice of the parameters. 

We saw that ti was better than t2 with low-weight knapsacks, but the choice 
ti can be improved if k = 1 TO * ^ which is the case of usual knapsacks 

where all the mfis are positive. Consider indeed t3 = (yi — k/n, y- 2 . — k/n . .... y n — 
k/n). Then ||v — t3 1| 2 = || m|| 2 — k 2 /n which is less than ||v — 1 1 1| 2 = ||m|| 2 . By 
replacing ti with t3 in Theorem 2, the result becomes: 
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Theorem 3. Let m = (mi, . . . , m n ) £ Z n and k = m i ■ Let ai, . . . , a n be 
chosen uniformly and independently at random in [0,A], Let s = 

Let L and the yt’s be defined by (1) and(2). Let c be a vector in L closest to the 
vector t 3 = ( t/i — k/n, . . . ,y n — k/n). Then the probability that c is not equal to 
(■ j/i — mi, ...,y n — m n ) is less than N(n, ||m|| 2 — k 2 /ri)/A. 

If k = IqLi to, is proportional to n, Theorem 3 yields a significant improvement 
over Theorem 2: for instance, if we consider a binary random knapsack for which 
k w n/2, Theorem 3 involves N(n. n/A) instead of N(n, n/2) for Theorem 2, 
which is exactly the difference between the critical densities of the Lagarias- 
Odlyzko reduction [6] and the reduction by Coster et al. [3]. However, in the case 
of low- weight knapsacks where k = o(n), the improvement becomes marginal, as 
k 2 /n is then negligible with respect to ||m|| 2 . To simplify the presentation and 
the discussion, we will therefore rather consider Theorem 2. 

4 Reducing Knapsacks to the Shortest Vector Problem 

In the previous section, we established reductions from knapsack problems (bi- 
nary and low-weight) to the closest vector problem. The original lattice at- 
tacks [6,3] on knapsacks only considered reductions to the shortest vector prob- 
lem (SVP), not to CVP. In this section, we show that our reductions to CVP 
can be adapted to SVP, thanks to the well-known embedding or (homogeniza- 
tion) method introduced by Kannan (see [5,12,13]), which tries to transform an 
(n — l)-dimensional CVP to an n-dimensional SVP. In general, the embedding 
method is only heuristic, but it can be proved in the special case of knapsack 
lattices. This is interesting from a practical point of view, because CVP is often 
solved that way. 

We adapt Theorem 2 to SVP. Again, we let s = i m i a i- Let L be the 
lattice defined by (1), and let the yls be defined by (2). Let (bi, . . . ,b„_i) 
be a basis of L. We embed L into the n-dimensional lattice L' spanned by 
(l, 2 /i,..., y n ) £ Z n+1 and the n — 1 vectors of the form (0, b,) '£ Z n+1 . We let 
m' = (1 ,toi, . . . , m n ) £ Z n+1 . By definition, m' £ L' and its norm is relatively 
short. The following result lowers the probability that m' is the shortest vector 
of L'. 

Theorem 4. Let m = (mi, . . . ,m n ) £ Z n . Let a\, . . . ,a n be chosen uniformly 
and independently at random in [0, A]. Let s = i m i a i- Let L' , m' and the 
Pi ’s be defined as previously. Let s be a shortest non-zero vector in L'. Then the 
probability that s is not equal to ±m' is less than 

(l + 2(l+||m|| 2 ) 1 /2) iV ( n) || m ||2 )/A 

Proof. By definition of L' , s is of the form s = (r, ry\ — zi, ... , ry n — z n ) where 
r £ Z, and (zi , . . . , z n ) £ L. Since s is a shortest vector: 


|s|| 2 < Urn'll 2 = l + ||m|| 2 . 


(4) 
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It follows that r 2 < 1 + ||m|| 2 . Let u* = ryi — Zi and u = (ui , . . . , u n ). We have 
||u|| < ||s||. Notice that: 

y^X u i — rmi)ai = 0. (5) 

We distinguish two cases. If r = 0, then u ^ 0, and it follows that the probability 
of (5) being satisfied for a given u ^ 0 is less than 1/A. And the number of 
possible u is bounded by N(n, ||m|| 2 ). Otherwise, r ^ 0, and there are at most 
2(1 + llmjl 2 ) 1 / 2 possible values for r. If s X ±m', we claim that there exists to 
such that Ui 0 — rm io / 0, in which case the probability that (5) is satisfied is less 
than 1/A. Otherwise, u = rm: if |r| > 1, this would imply that ||u|| > ||m||, and 
s would not be shorter than m': else r = ±1, and u = ±m which contradicts 
s / ±m'. This concludes the proof. □ 

Theorem 4 provides essentially the same bound on the success probability as 
Theorem 2, because ||m|| is negligible with respect to N(n, ||m|| 2 ). This means 
that in the case of low- weight knapsacks, there is no significant difference between 
the CVP and SVP cases. 

Theorem 4 can be viewed as a generalization of the Lagarias-Odlyzko re- 
sult [6]. Indeed, if we consider a binary knapsack of Hamming weight < n/2 
(which we may assume without loss of generality), then the failure probability 
is less than 

(l + 2(l + n/2) 1 / 2 )V(n,n/2)/A. 

Since N(n,n/2) < 2 C °” where Co = 1.54724... (see Section 2), it follows that 
the failure probability of the reduction to SVP is negligible provided that the 
density d = n/log 2 A is strictly less than 1/co = 0.6463 . . ., which matches the 
Lagarias-Odlyzko result [6] . 

We omit the details but naturally, the improvement of Theorem 3 over The- 
orem 2 can be adapted to Theorem 4 as well: N(n, |m|| 2 ) would decrease to 
N(n, \\m\\ 2 — k 2 /n) where k = provided that one subtracts k/n to 

both yi and to* in the definition of L‘ and m'. In the particular case of binary 
knapsacks, this matches the result of Coster et al. [3]: because N(n,n/ 4) < 2 Cl ” 
where c\ = 1.0628 . . ., the failure probability would be negligible provided that 
the knapsack density is less than 1/ci = 0.9409 . . . Whereas there was almost 
no difference between the CVP reduction and the SVP reduction for low-weight 
knapsacks, there is a difference in the case for binary knapsacks: in Theorem 1, 
the critical density was 1 and not 1/ci. And that would not have changed if we 
had transformed the CVP-reduction of Theorem 1 (instead of that of Theorem 3) 
into a probabilistic reduction to SVP. This is because Lemma 2 used in Theo- 
rem 1 (but not in Theorem 3) has no analogue in the SVP setting, which explains 
why the result with a CVP-oracle is a bit stronger than with a SVP-oracle: there 
are more parasites with SVP. 

In other words, the framework given in Section 3 revisits the SVP reduc- 
tions of Lagarias-Odlyzko [6] and Coster et al. [3]. By applying the embedding 
technique, we obtain the same critical densities when transforming our CVP 
reductions of Theorem 2 and 3 into SVP reductions. 
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5 Application to the OTU Cryptosystem 

In this section, we apply the results of Sections 2, 3 and 4 to the Okamoto- 
Tanaka-Uchiyama cryptosystem [19] from Crypto 2000. 

5.1 Description of OTU 

The OTU cryptosystem is a knapsack cryptosystem where the knapsack has a 
hidden structure based on discrete logarithms like the Chor-Rivest scheme [2], 
but where no information on the DL group leaks, thwarting attacks like [22]. The 
key generation of OTU requires the extraction of discrete logarithms: if quantum 
computers are available, one can apply Shor’s quantum algorithm, otherwise one 
uses groups with a special structure (e.g. groups of smooth order) so that DL is 
tractable. 

The knapsack (oi, . . . , a n ) used by OTU has a special structure. Let A = 
maxi<i< n a,. To allow decryption, it turns out that A is such that A > p k for 
some integers p, k > 1, and p is such that there are at least n coprime numbers 

< p, which implies that p>n, and therefore A>n k , and log 2 A is at least linear 
in k. The OTU scheme allows two kinds of encoding: 

— The binary encoding, where the plaintexts are all (mi, . . . ,m n ) £ {0,1}” 

such that m i = k- 

— The powerline encoding [7], where the plaintexts are all (rni, . . . , m n ) £ N” 
such that i m i = 

There is no concrete choice of parameters proposed in [19]. However, it was 
pointed out on page 156 of [19] that the choice k = 20°s n ) c where c is a constant 

< 1 would have interesting properties. We will pay special attention to that case 
since it is the only asymptotical choice of k given in [19], but we note from the 
discussion in [19-Section 3.4] that the scheme could tolerate larger values of k, 
up to maybe a constant times n/logn. Perhaps the main drawback with larger 
values of k is the keysize, as the storage of the knapsack is f2(nk) bits, which 
is then essentially quadratic if k = n/logn. What is clear is that k is at most 
0(n/logn): indeed the density in OTU is 0(n/(fc log «)), and the density must 
be lower bounded by a constant > 0 to ensure the hardness of the knapsack, 
which implies that k = O (n/logn). This means that we should study two cases: 
the suggested case k = 2^ logn ' )C where c is a constant < 1, and the extreme case 
k = 0(n/ log n). 

5.2 Resistance to Low-Density Attacks 

The parameter A can be chosen as small as 0(p k ) and p can be as small as 
nlogn. For the suggested case k = 2( los ”)°, we have log A = O(kAogp) = o(n). 
It follows that the usual density d = n/log 2 A grows to infinity, which is why it 
was claimed in [19] that OTU prevents usual lattice attacks [6,3]. However, this 
density argument is misleading because the weight k is sublinear in n. 
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Let m = (rrii ■ • • ■ , Tn n ) and s = rnpii. Theorems 4 and 2 provide effi- 
cient reductions from knapsacks to SVP and CVP, provided that N(n. ||m|| 2 ) is 
negligible with respect to A. 

With the binary encoding, we have ||m|| 2 = k, and therefore N(n. ||m|| 2 ) = 
N(n,k). We know that due to the choice of k in OTU (even in the extreme 
case), we have k = o(n ) with k growing to infinity. Corollary 1 then implies 
that N(n,k) = o(n k ), and therefore N(n,k)/A = o(l) since A > n k . Hence 
Theorems 4 and 2 provide efficient reductions (with success probability asymp- 
totically close to 1) to SVP and CVP in dimension n, provided that k = o(n), 
which is a necessary requirement for OTU. 

We now show that the powerline encoding does not significantly improve the 
situation, even though a plaintext m with the powerline encoding only satis- 
fies k < || m|| 2 < k 2 . If ||m|| 2 was close to k 2 , rather than k, Corollary 1 on 
N(n, ||m|| 2 ) would not allow us to conclude, because n k would dominate A. 
The following result shows that ||m|| 2 is on the average much closer to k, as in 
the binary encoding: 

Theorem 5. There exists a computable constant a > 0 such that the following 
holds. Let 1 < k < n and y = (k — T) /n. Let m = (mi, . . . , m n ) € N n be chosen 
uniformly at random such that ^” =1 TO * = Then the expected value of ||m|| 2 
satisfies: 

£(||m|| 2 ) < k(l + ay). 

Proof. As in the proof of Lemma 1, let K k denote the number of combinations 
of k elements among n with repetition: K k = (" + £ -1 ) = We have: 


U(||m|| 2 ) = nE(m 2 ) = n^x 2 ^^- 




k(k — 1) • • • (k ~ x + 1) x (n — 1) 


s(n,x,k) = n(n — l)x‘ 


^ (n + k — 1) (n + fc — 2) • • • (n + A; — x — 1) 
k(k — 1) • • • (k — x + 1) 


(n + k — l)(n + k — 2) • • • (n + k — x — 1) ’ 


- < k. 


so that UdlmH 2 ) = X^x=i s ( n > x -> ^)- We will see that the first term dominates in 
this sum: 

s(n 1 fc) — n(n--iyk 

1 (n + k — l)(n + k — 2) 

We now bound s(n, x, k) for all 2 < x < k: 

(k-l)(k-2)---(k-x + l) 


s(n,x,k) < kx 2 


(n + k — l)(n + k — 2) ■ ■ ■ (n + k — x + 1) 
k- 1 V -1 


= kx 2 TT < kx 2 

11 n + u ~ 
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< kx 2 



with y 


k-l 


Hence, by separating the first two terms in the sum: 


£(||m|| 2 )<fc 1 + t ^- + 5> 



Because 1 < k < n, we have 0 < y < 1 and 0 < y/(l + y) < 1/2. Thus, we only 
need to bound the series: 


fin) = 



A short derivative computation shows that for any 0 < z < 1/2, the function 
x i— > x 2 z x ~ 1 decreases over x > 3, because 2 + 31n(l/2) < 0. Therefore, letting 
z = y/( 1 + y), we obtain for all k > 1: 



Since z <1/2, it follows that one can compute an absolute constant ft > 0 such 
that for all k > 1, f(y) < ftz , which in fact also holds when k = 1 , that is, z = 0. 
Hence for all 1 < k < n: 


£(||m|| 2 ) < k(l + (4 + /3)y). 

This concludes the proof with a = 4 + ft. □ 


When k = o(n), we have y = o(l) and the upper bound becomes k( 1 + ay) = 
k( 1 + o(l)), which already shows that with the powerline encoding, the expected 
value of ||m || 2 is essentially k, rather than k 2 . This suggests that N(n, ||m|| 2 ) 
will on the average still be negligible with respect to A. But Theorem 5 allows us 
to give a sharper estimate. In the extreme case of OTU, we have k = 0(n/ log n) 
growing to infinity, so y = 0(1/ log n) and the upper bound becomes r = k(l + 
0(1/ log n)). By Corollary 1: 


N(n,r)/A< 


2 r e r(r-l)/(2n) n r 

r\n k 


Here, r 2 /n = kO(n/\ogn)(l + 0(l/\ogn))/n = 0(k/\ogn) therefore: 

2 r e r(r-l)/(2 n) = Q(l) k . 

And n r = n fc ( 1+ °( 1 / logn ^ = n k x (n°C/ lo s«))fe < n k x 0(l) k . Hence: 
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Thus, the reductions of Theorems 4 and 2 succeed with overwhelming probability 
even with the powerline encoding, even if the extreme choice of k in OTU is 
considered. This question was left open in [20] . 

Although we believe that the OTU cryptosystem may be secure with an 
appropriate choice of the parameters, our results indicate that in its current form, 
it cannot be supported by an argument based on density that would protect the 
system against a single call to an SVP oracle or a CVP oracle. 


5.3 The Pseudo-Density 


We now explain why in the case of low-weight knapsacks, Theorems 4 and 2 
suggest to replace the usual density d = n/ log 2 A by a pseudo-density defined 
by k = r log 2 nj log 2 A, where r is an upper bound on ||m|| 2 , m being the 
knapsack solution. 

Theorems 4 and 2 showed that a low-weight knapsack could be solved with 
high probability by a single call to a SVP-oracle or a CVP-oracle, provided that 
N{n,r)/A was small. Corollary 1 shows that: 


N(n,r)/A < - 


The left-hand term 2 r e r ( r - 1 )/( 2n )/ r -i tends to 0 as r grows to oo, provided that 
r = 0(n). The right-hand term n r / A is 2 rlog2 ” _log2 A This shows that if the 
pseudo-density k is < 1, then the right-hand term will be bounded, and therefore 
the low-weight knapsack can be solved with high probability by a single call to 
either a SVP-oracle or a CVP-oracle. On the other hand, if the pseudo-density k 
is larger than 1, it will not necessarily mean that the previous upper bound does 
not tend to zero, as there might be some compensation between the left-hand 
term and the right-hand term. 

Consider for instance the case of OTU with binary encoding. For any choice 
of k, the pseudo-density k = k log 2 n/ log 2 A is < 1 because A > n k due to 
decryption requirements. Therefore there is a reduction to SVP and CVP with 
probability asymptotically close to 1. On the other hand, if we consider the 
powerline encoding with an extreme case of k, the pseudo-density becomes k = 
k ( 1 + O ( 1 / log n) ) log 2 n / log 2 A < 1 + 0(1/ log n) which could perhaps be slightly 
larger than 1. Nevertheless, the computation of the previous section showed that 
N(n, r)/A was still o(l). Thus, the pseudo-density is a good indicator, but it may 
not suffice to decide in critical cases. 


6 Application to the Chor-Rivest Cryptosystem 

The Chor-Rivest cryptosystem [2] is another low-weight knapsack cryptosystem, 
which survived for a long time until Vaudenay [22] broke it, for all the parameter 
choices proposed by the authors in [2] . Vaudenay used algebraic techniques spe- 
cific to the Chor-Rivest scheme, which do not apply to OTU. His attack recovers 
the private key from the public key. Schnorr and Horner [21] earlier tried to 
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decrypt Chor-Rivest ciphertexts by solving the underlying low-weight knapsack 
using an improved lattice reduction method which they introduced. They suc- 
ceeded for certain choices of moderate parameters, but failed for the parameter 
choices proposed in [2] . Despite the fact that the Chor-Rivest scheme is broken, 
it is an interesting case with respect to lattice attacks, and this is why we apply 
our results to this scheme. 

6.1 Description 

We give a brief description of the Chor-Rivest cryptosystem [2]. One selects a 
small prime q and an integer k such that one can compute discrete logarithms in 
GF (q k ). One computes the discrete logarithms b\, . . . , b q £ Z q k_ 1 of certain well- 
chosen elements in GF(g fc ), to ensure decryption. The elements of the knapsack 
are a* = h + d where d is an integer chosen uniformly at random in Z q k_\. The 
set of plaintexts is the subset of all (mi, . . . ,m q ) £ {0, l} q having Hamming 
weight k, and the encryption of (mi, . . . , rn q ) is: 

Q 

s = a t m, (mod q k - 1). 

The public key consists of the q, k and the Oj’s. 

Strictly speaking, Chor-Rivest involves a modular knapsack problem (modulo 
q k — 1), rather than the initial knapsack problem. The density of the Chor-Rivest 
knapsack is d = q/ (/clog q), which can therefore be rather high for appropriate 
choices of q and k. But all our results on the knapsack problem we have discussed 
can be adapted to the modular knapsack problem. First of all, notice that a 
modular knapsack can be transformed into a basic knapsack if one can guess the 
hidden multiple of q k — 1 involved, that is, if one knows the integer l such that: 

s + i(q k — 1) = . 

Clearly, l can be exhaustively searched, and it is very close to k. In the worst-case 
for our reductions to lattice problems, the number of oracle calls will increase 
very slightly. 

Alternatively, one can adapt the lattice used in our framework. Consider a 
modular knapsack s = a i rn i (mod A). We replace the lattice L defined by 
(1) by the set L of vectors (zi , ... , z n ) £ Z" such that: 

z\a\ + • • • + z n a n = 0 (mod A). (6) 

The set L is a subgroup of Z n and is therefore a lattice. Its dimension is n, 
rather than n — 1. It is again well-known that a basis of L can be computed in 
polynomial time. This time, we compute in polynomial time integers yi,...,y n 
such that 

s = ^ ?/jaj (mod A). 


(7) 
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All of our results, such as Theorems 1-4, can then be adapted to modular knap- 
sacks provided some obvious minor changes, which we omit. For instance, in the 
statements of Theorems 1-4, the uniform distribution must be over [0, A[, and 
we let s = J2i= l a i' rn i (mod A). Naturally, equations (1) and (2) must be replaced 
respectively by equations (6) and (7). 

6.2 Application 

By definition, the pseudo-density of the Chor-Rivest knapsack (with binary en- 
coding) is k = k log 2 q / log 2 ( q k ) = 1. We thus conclude that the low-weight 
knapsack problems arising from the Chor-Rivest cryptosystem can be efficiently 
reduced to SVP and CVP with probability close to 1. In retrospect, it is there- 
fore not surprising that Schnorr and Horner [21] were able to solve certain Chor- 
Rivest knapsacks using lattice reduction. 

Concretely, we can even compute upper bounds on the failure probability 
of the reduction for the parameters proposed in [2] and the ones used in [21], 
using numerical values of N(n,r), as explained in Section 2.2. The numerical 
results are summarized in Tables 1 and 2. Thus, if one had access to SVP-oracles 
or CVP-oracles in dimension roughly 200-250, one could decrypt Chor-Rivest 
ciphertexts with overwhelming probability for its proposed parameters. 

Table 1. Application to the Chor-Rivest parameters proposed in [2] 


Value of (q, k ) 

(197,24) 

(211,24) 

(256,25) 

(243,24) 

Value of N(q, k)/q k 

2~ br 

2~ bv 

2 -bU 

2 b7 | 


Table 2. Application to the Chor-Rivest parameters attacked in [21] 


I Value of (q, k ) 1(103,12)1(151,16)1 

[Value of N(q, k) /q k \ 2~ 1M ] 2~ 2M ] . 


7 Impact on the Security of Low- Weight Knapsack 
Cryptosystems 

We have established efficient provable reductions from the low-weight knapsack 
problem to two well-known lattice problems: SVP and CVP. However, we do 
not claim to break low-weight knapsack cryptosystems like OTU. This is be- 
cause there is an experimental and theoretical gap between lattice oracles for 
SVP/CVP and existing lattice reduction algorithms (see [17] for a list of refer- 
ences), as the lattice dimension increases. The state-of-the-art in lattice reduction 
suggests that exact SVP and CVP can only be solved up to moderate dimension, 
unless the lattice has exceptional properties (such as having one extremely short 
non-zero vector compared to all the other vectors). 
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To roughly estimate the hardness of SVP/CVP in a rn-dimensional lattice of 
volume V, lattice practitioners usually compare V y l m sjni with a natural quan- 
tity related to the expected solution: for SVP, the quantity is the norm of the 
expected shortest vector, while for CVP, it is the distance between the target 
vector and the lattice. If the ratio is not large, it means that the solution is not ex- 
ceptionally small: SVP and CVP become intractable in practice if the dimension 
is sufficiently high. In the case of a knapsack defined by integers a±,. . . ,a n , the 
work of [16] on the so-called orthogonal lattices show as a simple particular case 
that the lattice L defined by (1) has volume V = E"=i a ?) 1 ^ 2 3 / gcd(ai, • • • , a„). 
Thus, with overwhelming probability, V ss A = max, a, . Since the dimension 
of L is n 1 , we need to consider V 1 /!™ -1 ) sy 2( log2 "V/f” -1 ) « 2 1//d where d 
is the usual knapsack density. The quantity is thus \/n — 1 « 2 1 / d - v /n. 

When dealing with a low-weight knapsack of weight r = ^27= l TO ?> this quantity 
is not particularly large compared to the quantity y/r corresponding ot the so- 
lution, unless r is extremely small. This indicates that by taking a sufficiently 
high dimension n and a not too small r (which is also important to avoid simple 
dimension reduction methods like [8]), the corresponding lattice problems should 
be hard. 

One may wonder how to select the lattice dimension to guarantee the hard- 
ness of SVP and CVP in practice. Current experimental records in lattice com- 
putations seem to depend on the type of lattices. For instance, Schnorr and 
Horner [21], using what is still the best lattice reduction algorithm known in 
practice, failed to decrypt Chor-Rivest ciphertexts for its suggested parameters, 
which correspond to a lattice dimension around 200-250. Bleichenbacher and 
Nguyen [1] reported similar problems with a dense 160-dimensional lattice. On 
the other hand, Nguyen [13] broke the GGH-challenge in dimension 350, but 
not in dimension 400. The record computation for breaking the NTRU cryp- 
tosystem [4] is a SVP computation in dimension 214 by May (see [8]), while the 
smallest NTRU parameter currently proposed corresponds to a 502-dimensional 
lattice. Thus, in order to propose concrete parameters for OTU, it would be 
useful to gather experimental data with the best reduction algorithms known 
(keeping track of recent development such as [15]). Besides, SVP and CVP in- 
stances arising from knapsack problems could serve as a useful benchmark to 
test and design new lattice reduction algorithms. 
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Abstract. In this paper, we propose a efficient and secure point mul- 
tiplication algorithm, based on double-base chains. This is achieved by 
taking advantage of the sparseness and the ternary nature of the so- 
called double-base number system (DBNS). The speed-ups are the re- 
sults of fewer point additions and improved formulae for point triplings 
and quadruplings in both even and odd characteristic. Our algorithms 
can be protected against simple and differential side-channel analysis 
by using side-channel atomicity and classical randomization techniques. 
Our numerical experiments show that our approach leads to speed-ups 
compared to windowing methods, even with window size equal to 4, and 
other SCA resistant algorithms. 


1 Introduction 

Elliptic curve cryptography (ECC) [24, 21] has rapidly received a lot of atten- 
tion because of its small key-length and increased theoretical robustness (there is 
no known subexponential algorithm to solve the ECDLP problem, which is the 
foundation of ECC). The efficiency of an ECC implementation mainly depends 
on the way we implement the scalar or point multiplication-, i.e., the compu- 
tation of the point kP = P + ■ ■ ■ + P ( k times), for a given point P on the 
curve. A vast amount of research has been done to accelerate and secure this 
operation, using various representations of the scalar k (binary, ternary, non- 
adjacent form (NAF), window methods (to-NAF) , Frobenius expansion,...), 
various systems of coordinates (affine, projective,. . . ) and various randomiza- 
tion techniques. See [15, 4, 1] for complete presentations. 

In this paper, we propose new scalar multiplication algorithms based on a 
representation of the multiplier as a sum of mixed powers of 2 and 3, called the 
double-base number system (DBNS). The inherent sparseness of this represen- 
tation scheme leads to fewer point additions than other classical methods. For 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 59-78, 2005. 
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example, if A: is a randomly chosen 160-bit integer, then one needs only about 22 
summands to represent it, as opposed to 80 in standard binary representation 
and 53 in the non-adjacent form (NAF). 

In order to best exploit the sparse and ternary nature of the DBNS, we also 
propose new formulae for point tripling and quadrupling for curves defined over 
binary fields and points in affine coordinates; and for prime fields using Jacobian 
coordinates. Our algorithms can be protected against side-channel attacks (SCA) 
by using side-channel atomicity [5] for simple analysis, and, in the odd case, using 
a point randomization method proposed by Joye and Tymen [20] for differential 
analysis. 

2 Background 

In this section, we give a brief overview of elliptic curve cryptography (see [1, 3, 
4, 15] for more details) and the double-base number system. 

2.1 Elliptic Curve Cryptography 

Definition 1. An elliptic curve E over a field K is defined by an equation 

E : y 2 + a\xy + a^y = x 3 + a 2 X 2 + a±x + a§ (1) 

where oi, 012 , 03 , 0 , 4 , € K, and d/0, where A is the discriminant of E. 

In practice, the Weierstrass equation (1) can be greatly simplified by applying 
admissible changes of variables. If the characteristic of K is not equal to 2 and 
3, then (1) rewrites 

y 2 = x 3 + ax + b, (2) 

where a,b £ K, and A = 4 a 3 + 27b 2 ^ 0. 

When the characteristic of K is equal to 2, we use the non-supersingular form 
of an elliptic curve, given for a ^ 0 by 

y 2 + xy = x 3 + ax 2 + b, (3) 

where a,b £ K and A = b 0. 

The set E(K) of rational points on an elliptic curve E defined over a field 
K is an abelian group, where the operation (generally denoted additively) is 
defined by the well-known law of chord and tangent, and the identity element is 
the special point O , called point at infinity. 

If the points on the curve are represented using affine coordinates, as P = 
(. x,y ), both the point addition (ADD) and point doubling (DBL) involve an 
expensive field inversion (to compute the slope of the chord or the tangent). 
To avoid these inversions, several projective systems of coordinates have been 
proposed in the literature. The choice of a coordinates system has to be made ac- 
cording to the so-called [i]/[m] ratio between one field inversion and one field mul- 
tiplication. It is generally assumed that 3 < [i]/[m] < 10 for binary fields [8, 14] 
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and 30 or more for prime fields [12]. In this paper we consider affine (.4) coordi- 
nates for curves defined over binary fields and Jacobian {J) coordinates, where 
the point P = (X,Y,Z) corresponds to the point {X / Z‘ 2 ,Y / Z' :i ) on the elliptic 
curve for curves defined over fields of odd characteristic. 

As we shall see, our DBNS-based point multiplication algorithms use sev- 
eral primitives. In the following lines, we give a very brief description and the 
complexities of some previously published point arithmetic algorithms. We also 
propose improved primitives and new formulae in Section 4. 

In the following, we will use [*], [s] and [to] to denote the cost of one inversion, 
one squaring and one multiplication respectively. We shall always leave out the 
cost of field additions. In binary fields, we assume that squarings are free (if 
normal bases are used) or of negligible cost (linear operation). Moreover, for 
curves defined over large prime fields, we will assume that [s] = 0.8 [to]. Note 
that our algorithm can be protected against SCA (see Section 2.2) using side- 
channel atomicity [5], which we have shown in the case of prime fields. In this 
case, squarings and multiplications must be performed using the same multiplier 
in order to be indistinguishable, and we must consider [s] = [to]. 

For fields of even characteristic, we use affine coordinates and we consider 
doublings (DBL), triplings (TPL) and quadruplings (QPL) as well as the com- 
bined double-and-add (DA), triple-and-add (TA) and quadruple-and-add (QA). 
It is easy to verify that ADD and DBL can be computed in 1 [*] + l[s] + 2 [to]. 
In [11], K. Eisentrager et al. have proposed efficient algorithms for DA, TPL 
and TA. By trading some inversions for a small number of multiplications, these 
results have been further improved when [i]/[m] > 6 in [6]. In Table 1 below, 
we give the complexities of each of these primitives. We also give the break-even 
points between the different formulae. 


Table 1 . Costs comparisons and break-even points for DA, T and TA over binary 
fields using affine coordinates 


Operation 

[11] 

[6] 

break-even point 

2 P±Q 

2[i] + 2[s] + 3[n 

n]l\i} + 2[s]+9[m 

] M/M = 6 

3 P 

2\z}+2[s]+3[r, 

n] ![,:]+ 4[ S ] + 7[m 

] [i\/[m\= 4? 

3 P±Q 

3[«] + 3[s] + 4[n 

n]2[i]+3[ S ]+9[m 

] M/M = 5 


When Jacobian coordinates are used and the curve is defined over a prime 
field (or a field of odd characteristic > 3), the addition and doubling operations, 
that we will denote ADD 17 and DBL 17 in this paper, require 12 [to] + 4[s] and 
4 [to] + 6[s] respectively. The cost of DBL 17 can be reduced to 4 [to] + 4[s] when 
a = — 3 in (2). Also, if the base point is given in affine coordinates (Z = 1), then 
the cost of the so-called mixed addition (J + A —> J) reduces to 8 [to] + 3[s]. 
When several doublings have to be computed, as for the computation of 2 W P, 
the algorithm proposed by Itoh et al. in [16] is more efficient than w invocations 
of DBL 17 . In the general case (a / —3) it requires 4 ?u[to] + (4u>+2)[,s]. In Table 2, 
we summarize the complexity of these different elliptic curve primitives. 
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Table 2. Complexity of several elliptic curve operations in Jacobian coordinates for 
fields of odd characteristic ^ 3 


Curve operation 

Complexity 

# Registers 

DBlN 

4[m] + 6[s] 

6 

DBL‘ 7 ’ 0=_3 

4[m] + 4[s] 

5 

ADD- 7 

12 [m] + 4[s] 

7 

ADD J+A 

8[m] + 3[s] 

7 

w-DBL- 7 

4u>[m] + (4u> + 2)[s 

] 7 


2.2 Preventing Side-Channel Analysis 

Side-channel attacks (SCA) are one of the most serious threat to ECC implemen- 
tations. Discovered by Kocher et al. [23, 22] , these attacks can reveal a secret 
information by sampling and analyzing various side-channel information (e.g. 
timing, power consumption, electromagnetic radiations) of a device. SCA can 
be divided into two types: simple attacks which observe only one trace given 
by a single execution of the algorithm, and differential attacks which use many 
observations and try to reveal the secret using statistical tools. Protecting ECC 
implementations against SCA has itself become an interesting area of research 
and several countermeasures have been proposed. Interested readers can refer 
to [4, 1] for details. 

In the current work we will use a solution proposed by Chavalier-Mames 
et al. in [5] to protect against simple attacks, called side-channel atomicity. 
The countermeasure is based on the simple observation that some elementary 
operations are side-channel equivalent in the sense that they are indistinguishable 
(or can be made so by clever software implementation) from the side-channel. 

2.3 Double-Base Number System 

The double-base number system (DBNS) [10] is a representation scheme in which 
every positive integer k is represented as the sum or difference of {2,3}-integers 
(i.e., numbers of the form 2 b 3 t ) as 

k = s i 2 6i 3 t4 , with Sj e {—1, 1}, and > 0 . (4) 

Clearly, this number representation scheme is highly redundant. If one considers 
the DBNS with only positive signs (s* = 1), then certain interesting numerical 
and theoretical results can be proved. For instance, 10 has exactly five differ- 
ent DBNS representations, 100 has exactly 402 different DBNS representations 
and 1000 has exactly 1 295 579 different DBNS representations. Probably, the 
most important theoretical result about the double-base number system is the 
following theorem from [9]. 

Theorem 1. Every positive integer k can be represented as the sum of at most 

°(esp) 
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The proof is based on Baker’s theory of linear forms of logarithms and more 
specifically on a result by R. Tijdeman [25]. 

Some of these representations are of special interest, most notably the ones 
that require the minimal number of {2, 3}-integers; i.e., an integer can be rep- 
resented as the sum of m terms ({2,3}-integers), but cannot be represented as 
the sum of m — 1 or less. These representations, called canonic representations, 
are extremely sparse. Some numerical facts provide a good impression about 
the sparseness of the DBNS. The smallest integer requiring three {2, 3}-integers 
in its canonic DBNS representations is 23. The next smallest integers requiring 
4-to-7 {2, 3 [[-integers are 431, 18 431, 3 448 733 and 1441896119 respectively. 
In all of the above results we have assumed only positive (+1) values for the 
Si’s. If one considers both signs, then the theoretical difficulties in establishing 
the properties of this number system dramatically increase. To wit, it is pos- 
sible to prove that the smallest integer that cannot be represented as the sum 
or difference of two {2,3}-integers is 103. The next limit is conjectured to be 
4985, but to prove it rigorously, one has to prove that the Diophantine equations 
±2°3 6 ± 2 c 3 (i ± 2 e 3-f = 4985 do not have solutions in integers. 

Finding one of the canonic DBNS representations, especially for very large 
integers, seems to be a very difficult task. Fortunately, one can apply a greedy 
algorithm to find a fairly sparse representation very quickly: given k > 0, find 
the largest number of the form 2 = 2 5 3* less than or equal to k, and apply the 
same procedure with k — z until reaching zero. Although the greedy algorithm 
sometimes fails in finding a canonic representation 1 , it is very easy to implement 
and it guarantees a representation satisfying the asymptotic bound given by 
Theorem 1 (see [9]). 

In this paper, we will use a slightly modified version of the greedy algorithm 
in order to find a DBNS representation of the scalar k of particular form, well 
adapted to fast and secure elliptic curve point multiplication. In the next section, 
we introduce the concept of double-base chains and the corresponding scalar 
multiplication algorithms. 


3 Double-Base Chain and Point Multiplication 

Let E be an elliptic curve defined over K, and let P ^ O be a point on E(K). 
Assuming k is represented in DBNS, our new scalar multiplication algorithm 
computes the new point kP G E(K), by using the so-called double-base chain 
as defined below. 

Definition 2 (Double-Base Chain). Given k > 0, a sequence (C n ) n> o of 
positive integers satisfying: 

Ci = 1, C n+ i = 2“3 v C n + s, with s G {-1, 1} (5) 


1 The smallest example is 41; the canonic representation is 32 + 9, whereas the greedy 
algorithm returns 41 = 36 + 4 + 1. 



64 


V. Dimitrov, L. Imbert, and P.K. Mishra 


for some it, v > 0, and such that C m = k for some m > 0, is called a double- 
base chain for k. The length m of a double-base chain is equal to the number of 
{2, 3} -integers in (4) used to represent k. 

Let k > 0 be an integer represented in DBNS as k = ^7=1 A 2 bi 3 ti , with 
Si £ {—1,1}, where the bf s and tf s form two decreasing sequences; i.e., b\ > 
6 2 > • • • > 6 m > 0 and t\ > t% > ■ ■ ■ > t m > 0. These particular DBNS 
representations allow us to expand k in a Horner-like fashion such that all partial 
results can be reused. 

We first remark that such a representation always exists (e.g., the binary 
representation is a special case). In fact, this particular DBNS representation 
is also highly redundant. Counting the exact number of DBNS representations 
which satisfy these conditions is indeed a very interesting problem, but the only 
partial results we have at the moment are beyond the scope of this paper. 

If necessary, such a particular DBNS representation for k can be computed 
using Algorithm 1 below, which is a modified version of the greedy algorithm 
briefly described in Section 2.3. Two important parameters of this algorithm 


Algorithm 1. Conversion to DBNS with restricted exponents 
Input k, a n-bit positive integer; b m ax,t ma x > 0, the largest allowed binary and 
ternary exponents 

Output The sequence (sj, 6*, tj)oo such that k = s-i. 2 6 ’ 3 4 ' , with 61 > ••• > 

bm > 0 and ti > ■ ■ ■ > tm > 0 
1: s <— 1 

2 : while k > 0 do 

3: define 2 = 2 b 3 i , the best approximation of k with 0 < b < b max and 0 < t < t max 

4: print (s, b, t) 

5: bmax <- b, tma X <- t 

6: if k < z then 

7: s < s 

8: k < — \k — z\ 


are the upper bounds for the binary and ternary exponents in the expansion of 
k, called b max and t rnax respectively. Clearly, we have b rnax < log 2 (fc) < n and 
tmax < log 3 (fc) « 0.63n. We noticed that using these utmost values for b rnax and 
tmax do not result in short expansion. Instead, we consider the following heuristic 
which leads to very good results: if k = (fc ra _ 1 . . . k\ko )2 is a randomly chosen n- 
bit integer (with k n - 1 ^0), we initially set b max = x and t ma x = y, where 2 x 3 y 
is a very good, non-trivial (with y ^ 0) approximation of 2”. (Specific values are 
given in Table 7 for n = 160.) Then, in order to get decreasing sequences for bfs 
and fj’s, the new largest exponents are updated according to the values of b and 
t obtained in Step 3. 

The complexity of Algorithm 1 mainly depends on the way we implement Step 
3; finding the best approximation of k of the form 2 = 2 b 3 t . If we can afford the 
storage of all the mixed powers of 2 and 3, this can be implemented very easily 
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using a search over an ordered table of precomputed values. Otherwise, we can 
use an efficient solution recently proposed in [2] based on continued fractions 
and Ostrowski’s number system. In both cases, the complexity of the conversion 
is negligible compared to the cost of the scalar multiplication. However, it is 
important to remark that, in most cases, the conversion into DBNS might not 
be needed. Indeed, in most ECC protocols, the multiplier k is a randomly chosen 
integer. We can thus directly generate a random DBNS number in the required 
form. Also, when k is part of a secret key, the conversion into DBNS can be done 
offline and even further optimized, when computation time is not an issue. 

In the next sections, we present two versions of the DBNS-based point multi- 
plication algorithm. We shall refer to the even case for curves defined over binary 
fields, when affine coordinates are used; and to the odd case for curves defined 
over large prime fields (or more generally any field of odd characteristic greater 
than 3), when Jacobian coordinates are preferred. 

3.1 Point Multiplication in Even Characteristic 

In even characteristic, i.e., with P € E( F2>») and k defined as above, Algorithm 2 
below, computes the new point kP. We remark that although to— 1 additions are 


Algorithm 2. Double-Base Scalar Multiplication in even characteristic 
Input An integer k = YliLi s < 2 b *3 t ‘ , with ,s, £ { 1 . 1}, and such that bi > 62 > • • • > 

bm > 0, and fi > tz > ■ ■ ■ > t m > 0; and a point P £ E(K) 

Output the point kP £ E(K) 

1: Z<- Sl P 

2: for * = 1, . . . , m — 1 do 

3: u <— bi — b i+ i 

4: v<-ti- t i+ 1 

5: if u = 0 then 

6: Z Z) + Si+iP 

7: else 

8: Z -t— 3° Z 

9: U«-W% 

10: if u = 0 (mod 2) then 

11: Z <- 4Z + s i+ iP 

12: else 

13: Z <- 2Z + Si+iP 

14: Return Z 


required to compute kP, we never actually use the addition operation (ADD); 
simply because we combine each addition with either a doubling (Step 13), a 
tripling (Step 6) or a quadrupling (Step 11), using the DA, TA and QA prim- 
itives. Note also that the TA operation for computing 3P ± Q is only used in 
Step 6, when u = 0. Another approach of similar cost is to start with all the 
quadruplings plus one possible doubling when u is odd, and then perform v — 1 
triplings followed by one final triple-and-add. We present new algorithms for 4P 
and 4P ± Q in Section 4. 
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In order to evaluate the complexity of Algorithm 2, we have to count the 
number of curve operations; i.e., the number of DBL, DA, TPL, TA, QPL, 
QA, which clearly depends on the DBNS representation of the scalar k. In fact, 
Algorithm 2 gives us a double-base chain for k, say K m , that we can use to 
determine the number of curve operations required to evaluate kP. Let us define 
W n as the number of curve operations required to compute K n P from K n _ i P. 
We have Ki = 1 and W\ = 0 (in Step 1, we set Z to P or — P at no cost). Then, 
for n > 1 we have 

W n+ 1 = 8 Ui o ((v - 1) T + TA) 

+ (1 -S Vl0 )(vT+ \^-^Q + 8 ]uhfi QA + 8 ]u] ^DA^, (6) 

where Ay is the Kronecker delta such that As = 1 if i = j and A,j = 0 if i / j, 
and \u \2 denotes u mod 2 (the remainder of u in the division by 2). The total 
cost for computing kP from the input point P is thus given by 

W m = jrWi . ( 7 ) 

In Section 5, we illustrate the efficiency of this algorithm by providing com- 
parisons with classical methods and a recently proposed ternary /binary ap- 
proach [6]. 


3.2 Point Multiplication in Odd Characteristic 

For fields of odd characteristic > 3, when primitives in Jacobian coordinates are 
more efficient, Algorithm 3 below is used to compute kP. It takes advantage 
of the known w-DBL^ and ADD' 7 " 1 "- 4 formulae recalled in Section 2.1 and the 
new TPL 17 , tn-TPL ' 7 and «;-TPL' 7 /wZ-DBL 17 proposed in Section 4. Its com- 
plexity depends on the number of doublings, triplings and mixed additions that 
have to be performed. Clearly, the total number of (mixed) additions is equal 
to the length m of the double-base chain for k, or equivalently the number of 


Algorithm 3. Double-Base Scalar Multiplication in Odd Characteristic > 3 
Input An integer k = YliLi s * 3 4 ’ , with Si 6 (—1, 1}, and such that bi > 62 > • • • > 
bm > 0, and ti > t2 > ■ ■ ■ > t m > 0; and a point P 6 E(K) 

Output the point kP £ E(K) 

1: Z^siP 

2: for * = 1, . . . , m — 1 do 

3: u <— bi — 6f+i, v <— U — ti + 1 

4: Z <- 3 V Z 

5: Z <- 2 U Z 

6: z <- Z + s i+1 P 

7: Return Z 
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{2,3}-integers in its DBNS representation. Also, the number of doublings and 
triplings are equal to bi < b rnax and ti < t max respectively. However, the field 
cost can be more precisely evaluated if one considers the exact complexity of 
each iteration, by counting the exact number of field multiplications and squar- 
ings required in Steps 4 and 5 by the consecutive calls to u-TPL and u-DBL. 
In Section 5, we make this complexity analysis more precise and we compare 
our new approach with several previous algorithms recognized for their effi- 
ciency. 

4 New Point Arithmetic Algorithms 

In this section we present new formulae for point quadrupling (QPL) and com- 
bined quadruple-and-add (QA) in even characteristic, and for triplings (TPlA, 
w- TPL* 7 and w- TPL' 7 /u/-DBL' 7 ) in odd characteristic, to be used in conjunc- 
tion with the proposed point multiplication algorithms. 

4.1 New Algorithms for 4P and 4P ± Q in Even Characteristic 

We remark that the trick used in [11] by Eisentrager et al., which consists in 
evaluating only the x-coordinate of 2 P when computing 2 P ± Q, can also be 
applied to speed-up the quadrupling (QPL) primitive. Indeed, given P = (xi , 2 / 1 ), 
where P ^ —P, we have 2 P = (£ 3 , 2 / 3 ), where 

Ai = xi 4 — . x 3 = A?4A 1 4a, 2/3 = Ai (xi 4 £ 3 ) 4 x 3 4 2 / 1 , 

Xl 

and 4P = 2(2P) = (x 4 , 2 / 4 ), where 

A 2 = £3 4 — , £4 = Ao 4 A 2 4 a, 2/4 = A 2 (xi 4 £ 4 ) 4 £4 4 2/1 • 

X 3 

We observe that the computation of 2/3 can be avoided by evaluating A 2 as 

A 2 = — 4 Ai 4 £3 4 1 • (8) 

X 3 

As a result, computing 4P over binary fields requires 2 [i] 4 3 [s] 4 3 [m] . Compared 
to two consecutive doublings, it saves one field multiplication at the extra cost 
of one field squaring. Note that we are working in characteristic two and thus 
squarings are free (normal basis) or of negligible cost (linear operation in binary 
fields). 

For the QA operation, we evaluate 4P 4 Q, as 2(2P) 4 Q using one doubling 
(DBL) and one double-and-add (DA), resulting in 3 [/] 4 3[s] 4 5 [m] . This is 
always better than applying the previous trick one more time by computing 
(((P 4 Q) 4 P) 4 P) 4 P) in 4 [*] 4 4[s] 4 5 [to]; or evaluating 3P 4 (P 4 Q) which 
requires 4 [i] 4 4[s] 4 6 [to]. 

In [6], Ciet et al. have improved an algorithm by Guajardo and Paar [13] 
for the computation of 4P; their new method requires 1 [i] 4 8|s] 4 8 [to]. Based 
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on their costs, QA is best evaluated as (4 P) ± Q using one quadrupling (QPL) 
followed by one addition (ADD) in 2[i } + 6[.s] + 10 [to]. In Table 3 below, we 
summarize the costs and break-even points between our new formulae and the 
algorithms proposed in [6]. 


Table 3. Costs comparisons and break-even points for QPL and QA in even charac- 
teristic using affine coordinates 


Operation 

present 

work 

[6] 

break-ev« 

n point 

4 P 

2{i\ + 3[s^ 

+ 3[m 

![*] + 5M + 8[m 

mm 

= 5 

AP±Q 

3[i] + 3[s] 

+ 5[m 

] 2[i] + 6[s] + 10[rn 

] m™. 

|=5 


4.2 New Point Tripling Formula in Odd Characteristic 

In order to best exploit the ternary nature of the DBNS representation we also 
propose new point tripling algorithms in Jacobian coordinates, for curves defined 
over fields of odd characteristic 3). 

To simplify, let us first consider affine coordinates. Let P = £ E(K) be 

a point on an elliptic curve E defined by (2). By definition, we have 2 P = (x-2, y 2 ), 
where 

Al = ‘ ~ ° , x 2 = Xl-2x!, y 2 = Xi(x! - x 2 ) - 2/1 . (9) 

2y\ 

We can compute 3P = 2P + P = (x 3,1/3), by evaluating A2 (the slope of the 
chord between the points 2 P and P ) as a function of xi and y-\ only. We have 


A = y 2 -y\ 

x 2 — Xi 

X 2 - X\ 

_ 3xl + a 8 yf 

2yi (3xj + a) 2 - 12x12/2 


(10) 


We further remark that 


£3 = A2 - Xi - x 2 

= Xl-x 1 -Xl + 2x 1 (11) 

= (A2 — Ai)(A 2 + Ai) + xi, 


and 


2/3 = A 2 (xi - x 3 ) - 2/1 

= — A2(A2 — Ai)(A 2 + Ai) — 2/1 • 

Thus 3 P = (x 3, 2/3) can be computed directly from P = (xi ,2/1). without evalu- 
ating the intermediate values x 2 and y 2 . 
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By replacing x\ and y\ by X- Y fZ\ and Y\/Z\ respectively, we obtain the fol- 
lowing point tripling formulae in Jacobian coordinates. Given P = 
we compute 3 P = (X :i , Y 3 , Z 3 ) as 

X 3 = 8Y?(T - ME) + Xi E 2 

Y 3 = Y X {A{ME - T)(2T - ME) - E 3 ) (13) 

Z 3 = Z 1 E, 

where M = 3X 2 + aZf, E = 12XiY? - M 2 and T = 8 Y*. 

The complexity of this new point tripling algorithm is equal to 6[s] + 10 [m\. If 
one uses side-channel atomicity to resist simple SCA, then this is equivalent to 
16 [m]. We express TPL J in terms of atomic blocks Table 11 of Appendix A. In 
comparison, computing 3 P using the doubling and addition algorithms from [5] , 
expressed as a repetition of atomic blocks, costs 10 [to] + 16 [to] = 26 [to]. 

As we have seen in Section 3.2, operation count of Algorithm 3 can be reduced 
by improving the computation of consecutive trip lings; i.e., expressions of the 
form 3 W P. From (13), we remark that the computation of the intermediate value 
M = 3X 2 + aZf requires l[m] + 3[s] (we omit the multiplication by 3). If we 
need to compute 9 P, we have to evaluate M' = 3Wf + aZ |. Since Z 3 = Z\E, 
we have aZ 3 = aZfE 4 (where E = Y1X\Y 2 — M 2 ), and aZf and E 2 have 
already been computed in the previous iteration. Hence, using these precomputed 
subexpressions, we can compute M' = 3Xf + (aZf)(E 2 ) 2 , with l[m] + 2[s]. The 
same technique can be applied to save one multiplication for each subsequent 
tripling. Thus, we can compute 3 W P with (15w + l)[m], which is better than w 
invocation of the tripling algorithm. The atomic blocks version of iv- TPL^ is 
given in Table 12 of Appendix A. Note that the idea of reusing aZ 4 for multiple 
doublings was first proposed by Cohen et al. in [7], where modified Jacobian 
coordinates are proposed. It is possible that a similar approach for repeated 
triplings can lead to further improvements. 

From Table 2, DBL^ normally requires 4 [to] + 6[.s], or equivalently 10 blocks 
of computation if side-channel atomicity is used. However, in our scalar mul- 
tiplication algorithm, we remark that we very often invoke mZ-DBL^ right af- 
ter a w-TPL' 7 (the only exceptions occur when u = 0, which correspond to a 
series of consecutive {2,3}-integers in the expansion of k having the same bi- 
nary exponents). Using subexpressions computed for the last tripling, we can 
save l[s] for the first DBL^. The next (u/ — 1)-DBL^ are then computed with 
(4 w' — 4 ) [ to ] + (4 w' — 4 ) [s] . (The details of these algorithms are given in Ap- 
pendix A.) We summarize the complexities of these curve operations in Table 4. 

Table 4. Costs of tripling algorithms in Jacobian coordinates for curves defined over 
fields of odd characteristic > 3 


Curve operation Complexity # Registers 

TPl? 6[s] + 10 [to] 8 

w-TPL- 7 (4w + 2)[s] + (llw - 1 )[m] 10 

w-TPL^/w'-DBL- 7 (lki + Aw' - l)[s] + (4w + Aw' + 3) [to] 10 
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5 Comparisons 

In this section, we compare our algorithms to the classic double-and-add, NAF 
and 4-NAF methods, plus some other recently proposed algorithms. More pre- 
cisely, we consider the ternary/binary approach from [6] in even characteristic 
and two algorithms from Izu et al., published in [17] and [19] for curves defined 
over fields of odd characteristic. In the later case, we consider the protected ver- 
sion of our algorithm, combined with Joye’s and Tymen’s randomization tech- 
nique to counteract differential attacks [20] . 

If we assume that k is a randomly chosen n-bit integer, it is well known that 
the double-and-add algorithm requires n doublings and n/2 additions on average. 
Using the NAF representation, the average density of non-zero digits is reduced 
to 1/3. More generally, for u>-NAF methods, the average number of non-zero 
digits is roughly equal to l/(w + 1). Unfortunately, it seems very difficult to 
give such an estimate for the particular DBNS representation we are considering 
in this paper. In [9], it is proved that the greedy algorithm (with unbounded 
exponents) returns a DBNS expansion which satisfies the asymptotic bound of 
0{n/ log n) additions, but this is probably not valid with the restriction that the 
exponents form two decreasing sequences. The rigorous determination of this 
complexity leads to tremendously difficult problems in transcendental number 
theory and exponential Diophantine equations and is still an open problem. 

Hence, in order to estimate the average number of {2,3}-integers required to 
represent k, and to precisely evaluate the complexity of our point multiplication 
algorithms, we have performed several numerical experiments, over 10000 ran- 
domly chosen 160-bit integers (163-bit integers for binary fields). Our results are 
presented in the next two sections. 

5.1 Binary Fields 

The average number of curve operations are presented in Table 5 for 163-bit 
numbers. The corresponding numbers of field operations are given in Table 6 for 
different ratios [i]/[m], using the best complexities from Tables 1 and 3 in each 
case. 

In Table 6, we remark that our algorithm requires fewer inversions and multi- 
plications than the other methods, and because we are working over binary fields, 
squarings can be ignored. We can estimate the cost of each method, in terms 

Table 5. Average number of curve operations using the binary, NAF, ternary /binary 
and DB-chain approaches for n = 163 bits 


Algorithm 

D DA T TA Q QA| 

binary 

82 81 - 

NAF 

109 54 - 

ternary /binary 

38 37 55 - 

DB-chain (Algo. 2) 

- 17 35 5 25 14 
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Table 6. Average number of field operations using the binary, NAF, ternary /binary 
and DB-chain approaches for n = 163 bits, and [*]/[to] =4,8 


Algorithm 

[i\/[m]=4 

M/H=8 

[ij H H 

Li] [«J M 

binary 

NAF 

ternary /binary 
DB-chain (Algo. 2) 

244 244 407 
217 217 380 
222 222 353 

215 240 327 

163 244 893 
163 217 704 
130 333 795 
117 405 798 


Table 7. Average number of terms and the corresponding field complexity of our new 
scalar multiplication algorithm obtained using 10000 randomly chosen 160-bit integers 
and different largest binary and ternary exponents 


bmax 

tmax 

TO 


Field 

cost 

Complexity (#[m]) 

" 57 

65 

44.52 

m 

+ 742.10[s] 

+ 1226.92 [to 

] 1999.02 

76 

53 

38.40 

l[i] 

+ 740.59[s] 

+ 1133. 58[m 

] 1904.17 

95 

41 

36.83 

l[i] 

+ 755.77[s] 

+ 1077.48[m 

] 1863.25 

103 

36 

38.55 

l[i] 

+ 772.42 [s] 

+ 1074.22 [to 

j 1876.25 


of the equivalent number of field multiplications, by multiplying the number of 
inversions by the ratio [*]/[m]. By doing so, we obtain a speed-up of 21%, 13.5% 
and 5.4% over the binary, NAF and ternary /binary approaches respectively for 
[i]/[m] = 8; and 14.1%, 4.8% and 4.4% for [i]/[m] = 4. 


5.2 Prime Fields 

In this section, we report results for 160-bit integers. If the classic methods are 
used in conjunction with side-channel atomicity (which implies [s] = [to]), the 
average cost of the double-and-add method can be estimated to 159 x 10 + 80 x 
11 + 41 = 2511 [to]; similarly, the NAF and 4-NAF methods require 2214 [to] and 
1983 [to] respectively. The results of our numerical experiments are presented in 
Table 7. 

In Table 7, we give the average number to of {2, 3}-integers used to represent 
a random 160-bit integer, and the average number of field operations performed 
by Algorithm 3 for different values of b max and t max . (This cost includes the fixed 
cost of Joye and Tymen’s randomization.) In order to compare our algorithm 
with the side-channel resistant algorithms presented in [17, 19, 18], we also give 
the uniform cost in terms of the number of field multiplications. Note that, 
because we are using side-channel atomicity to prevent simple analysis, squarings 
cannot be optimized and must be computed using a general multiplier. We thus 
assume [s] = [to] and [i] = 30 [to]. 

In Table 8, we summarize the complexities of these recognized methods. The 
figures for the algorithms from Izu, Moller and Takagi are taken from [17] and [19] 
assuming Coron’s randomization technique which turns out to be more efficient 
in their case. The cost of our algorithm is taken from the third row of Table 7, 
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Table 8. Comparison of different scalar multiplication algorithms protected against 
simple and differential analysis 


Algorithm 

Complexity (#[m]) 

double-and-add 

2511 

NAF 

2214 

4-NAF 

1983 

Izu, Moller, Takagi 2002 [17] 

2449 

Izu, Takagi 2005 [19] 

2629 

Double-base chain (Algo. 3) 

1863 


with b max = 95 and t rnax = 41, which corresponds to the best non-trivial ap- 
proximation to 2 160 and leads to the best complexity. 

We remark that our new algorithm outperforms all the previous recognized 
methods. It represents a gain of 25.8% over the double-and-add, 15.8% over the 
NAF, 6% over 4-NAF, 23.9% over [17] and 29.1% over [19]. 

6 Conclusions 

In this paper, we have presented fast and secure scalar multiplication algorithms 
which take advantage of the sparseness and the ternary nature of the double- 
base number system. When Jacobian coordinates are used for curves defined over 
fields of odd characteristic (greater than 3), new formulae for TPL J and tn-TPL' 7 
have been proposed and expressed in atomic blocks to prevent simple analysis. 
Differential attacks are prevented using Joye and Tymen randomization method, 
but any countermeasure (allowing for mixed addition) can be integrated to our 
point multiplication algorithm. When working over binary fields, improved algo- 
rithms for point quadrupling and combined quadruple-and-add have been pre- 
sented. Although many theoretical questions remain open about the double-base 
number system, e.g. the exact determination of the average number of {2,31- 
integer, or the number of DBNS representation with decreasing exponents of 
a given integer, we have produced a modified greedy algorithm to convert the 
multiplier k into the particular DBNS form required by our point multiplication 
algorithm. However, we want to make clear the point that in most cases, this 
conversion is not necessary. When k is randomly chosen, it suffices to generate 
directly a random, convenient DBNS number (with decreasing exponents); and 
when k is part of a secret key, the conversion process can be performed offline 
and even further optimized. We believe that the proposed point multiplication 
algorithms are very competitive contenders for fast and secure ECC implemen- 
tations. 
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A w- DBL * 7 and w- TPL * 7 Algorithms in Atomic Blocks 

In this appendix, we give the algorithms for DBlA (including the case when 
a doubling is performed right after a tripling), tu-DBL^, TPL J and «;-TPL' 7 , 
expressed in atomic blocks. 


Table 9 . The DBL J algorithm in atomic blocks. When DBlA is called right after 
t/j-TPL' 7 . the blocks A 2 , A3 and A 4 can be replaced by the blocks A 2 and A3 to save 
one multiplication. 


DBI / 7 

Input: P= {X 1 ,Y 1 ,Z 1 ) 

Output: 2 P = ( X3 , Y3, Z3) 

Init: R 1 = X 1 . It ) = Yi, R3 = Z\ 


a 4 

R 4 = RiX Ri (Xf) 
Rs — R4 + R4 ( 2 Xi) 

R 4 = R 4 + R 5 ( 3 X?) 

a 6 

R 2 = R 2 x R 2 (Yi ) 

R 2 = R 2 + R 2 ( 2 Y 1 2 ) 

A‘ 2 . 

Rs — R3 x -R3 (-^i) 

(2Xr) 

a 7 

R 5 = RiX R 2 (S) 

Rs = -Rs ( -S ) 

A3 

R$ — -H5 X (^i) 

As 

Ri = R 4 x R 4 (M z ) 

Ri=Ri + Rs ( M 2 - 5) 

7 ?i = + Rs (X 3 ) 

~A 4 

Re = a x i?5 (aZi) 

= -R4 + (Af) 

i ?5 = R2 + (2Yi) 

a r 

R 2 = R 2 x R 2 (Wf ) 

Rj = Ri + R 2 ( T ) 

Rs = Ri + Rs (X 3 - S) 

As 

R3 = R3 x Rs (Z3) 

A10 

R 4 = R 4 x Rs ( M(X 3 - S)) 

r 2 = r 4 + r 7 (-y 3 ) 

R 2 = -R 2 (Us) 


a 2 

Rs = Rio x Rio 

A3 

Rs — Rs X Rq 


Ri = Ri + Ri 


R4 — R4 + i?6 


* 


* 


* 


* 




76 


V. Dimitrov, L. Imbert, and P.K. Mishra 


Table 10 . The w-DBL J algorithm in atomic blocks. The 10 blocks (or 9 if executed 
after t/j-TPL' 7 ) of DBL* 7 (Table 9) must be executed once, followed by the blocks An 
to Z\i8 which have to be executed w — 1 times. After the execution of DBL' 7 , the 
point of coordinates (X t7 Y t , Z t ) correspond to the point 2 P; at the end of the w — 1 
iterations, 2 W P = {X 3 ,Y 3 ,Z 3 ) = ( X t ,Y t ,Z t ). 

w-DBL ' 7 

Input: P={X 1 ,Y 1 ,Z 1 ) 

Output: 2 W P = (X 3 ,Y 3 , Z 3 ) 

Init: (X t , Y t , Z t ) is the result of DBL J (P), R 6 = aZf, R 7 = 8 ¥? 


An 

Ra — Rl X R\ 

Rb = Ra + Ra 

Ra — Ra + Rb 

(X‘i) 

( 2 X?) 

( 3 X?) 

a 15 

Re = Ri x R2 

Re = —Re 

( 5 ) 

(- 5 ) 

a 12 

Re = Re x R 7 ( aZt 
Re = Re + Re 

+ 8 Y t ') 
(aZf) 

a 16 

Ri = Ra x Ra 

Ri = Ri + Rb 

{M 1 ) 
(M 2 - S) 


Ra — Ra + R 6 

m 


Ri = Ri + Re 

(Xt+i) 

a 13 

R 3 = R2 x R3 

R3 = R3 + R3 

(XtZ t ) 

(Zt+i) 

A17 

R2 = R2 X R2 

R7 = R2 + R2 

mi 

(T) 


Ri = Ri + Ri 

( 2*0 


Re = Ri + Re 

(X t+ t - S ) 


R2 = R2 X R2 

R2 = R2 + R2 

( y, ?) 

mi 

2 ll 8 

R 4 = R*x Re (M(X t+ 1 - S)) 
R 2 =R 4 + R7 (-Tt+i): 

R2 = -R2 (Y t+ 1) 
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Table 11. The TPL * 7 algorithm in atomic blocks 


TPL J 

Input: P=(X 1 ,Y 1 ,Z 1 ) 

Output: 3 P = (-X3, Y3, Z3) 

Init: Ri = Xi, R 2 = Vi, R 3 = Z\ 


A 

r 4 = r 3 x r 3 {Zi) 

A 

Rs = Re x A (T) 

A = A + A (85f J 

A 

R 4 = R 4 x ru (Z?) 

Ao 

A = A x A {ME) 

A = -A {—ME) 

A = A + A (T - ME) 

A 

A = Pi X A (X?) 

Re = Rs + A ( 2 Xj 2 ) 

-/?5 — -R 5 + (3-X^i ) 

Ai 

-Rio = A x A (E 2 ) 

1 4 

R 9 — cl x (aZ?) 

-R 4 = -^5 + ^9 (M) 

P 12 

Ri = Ri x Rio (X 1 E 2 ) 


R 5 = R 2 x R 2 (Vi") 

A = A + A (2 A 2 ) 

A = A + A (4hf ) 

a7 

R 5 = Rio x R 5 (E 3 ) 

Rs = Rs + Re ( 2 T - ME) 

Rs = -Rs (— E 3 ) 

A 

A = A x A (4Xin 2 ) 
A = A + A (8 A A 2 ) 

A = A + A (12Xi A 2 ) 

Ai 

R 4 = Re x R 7 81f (T - ME) 

Re = Re + Re (2(T - ME)) 

Re = -Re (2(ME - T)) 

Ri=Ri+R 4 (X 3 ) 

A 

A = A x A (M*I 

A = -A (— M 2 ) 

A = A + A (E) 

a7 

R 6 = RexR 8 (2(ME — T)(2T — ME)) 

Re = Re + Re {A{ME - T){2T - ME)) 

R 6 = Re+R5 (4(ME — T){2T — ME) — E 3 ) 

A 

A = A x A (A) 

E16 

R2 = R2 x R 6 (A) 
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Table 12. The U’-TPL' 7 algorithm in atomic blocks. The 16 blocks of TPL 7 musi 
be executed once, followed by the blocks A 7 to Ai which have to be executed w — 1 
times. After the execution of TPL 17 , the point of coordinates {X t ,Y t , Z t ) correspond 
to the point 3 P; at the end of the w — 1 iterations, 3 W P = {X3, Y3, Z3) = (X t ,Y t , Z t ). 

w-TPL 7 

Input: P = (X 1 ,Y 1 ,Z 1 ) 

Output: 3 W P = (X3, Y3, Z3) 

Init: ( X t , Y t ,Z t ) is the result of TPL J {P), R9 = aZf, Rio — E 2 


At 

Ra = R 9 x Rio 

{aZfE' 2 ) 

R25 

Re = Ri x Re 

{ME) 


* 



Rs = —Re 

Re = Rs + Re 

{-ME) 
(T - ME) 

As 

Re = Ri x Ri 
Re = Re + Re 

{Xt) 

{2X 2 ) 

i~26 

Rio = Re x Re 

{E z ) 


Re = Re + Re 

(3A t 2 ) 


* 


A 9 

Rq = R 4 x Rio 
R4 — R§ + R9 

jazn 

(M) 

^27 

Ri = Ri x Rio 

{X t E 2 ) 

Ao 

Re = Ri x Ri 
Re = Re + Re 

R7 = Re + Re 

07) 

m 2 ) 

As 

Re = Rio x Re 
Rs = Rs + Rs 
Re = —Re 

W) 

(2 T - ME) 
i-E 3 ) 

Ta 

Re = Ri x Rj 
Rs = Re + Re 

Re = Re + Rs 

(4A t y t z ) 
(8 X t Y 2 ) 

(12A t F t 2 ) 

A 9 

J?4 = Re x R7 
Rs = Re + Rs 
Rs = —Re 

Ri = Ri + Ri 

{8Y t z {T — ME)) 
(2 {T-ME)) 
(2 {ME - T)) 
(X t+ 1) 

I'u 

Rs = Ri x R4 

Rs = —Rs 

Re = Re + Rs 

(Af-) 

(— M 2 ) 
(T) 

Ao 

Re = Re x Rs 

Rs = Re + Re 

Rs = Re + Re 

{2{ME — T){2T — ME)) 
{4{ME — T){2T —ME)) 

(4 {ME - T){2T - ME) - E 3 ) 

a7 

R3 = R3 x Re 

(Zt+i) 

AT 

Ri = Ri x Rs 

09* 1 ) 

a7 

Rs = Rs x R-? 
R7 = R7 + R7 

(T) 

(8Y 2 ) 
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Abstract. We give improved upper bounds on the communication com- 
plexity of optimally-resilient secure multiparty computation in the cryp- 
tographic model. We consider evaluating an n-party randomized function 
and show that if / can be computed by a circuit of size c, then 0(cti 2 k) 
is an upper bound for active security with optimal resilience t < n/2 and 
security parameter k. This improves on the communication complexity 
of previous protocols by a factor of at least n. This improvement comes 
from the fact that in the new protocol, only 0(n) messages (of size O(k) 
each) are broadcast during the whole protocol execution, in contrast to 
previous protocols which require at least 0(n) broadcasts per gate. 

Furthermore, we improve the upper bound on the communication 
complexity of passive secure multiparty computation with resilience 
t < n from 0(cn 2 n) to 0{ctik). This improvement is mainly due to 
a simple observation. 

1 Introduction 

1.1 Secure Multiparty Computation 

Secure multiparty computation (MPC) allows a set of n players to compute an 
arbitrary function of their inputs in a secure way. More generally, we consider re- 
active computations, which are specified as a circuit with input gates, evaluation 
gates (e.g., AND and OR gates), random gates, and output gates. 

Security is specified with respect to an adversary corrupting up to t of the 
players for a defined threshold t. A passive adversary can inspect the internal 
state of corrupted players, an active adversary can take full control over them. 
A protocol is t-secure if an adversary attacking the protocol with t corruptions 
can only obtain inevitable goals w.r.t. gathering information and influencing 
the output of the protocol. I.e. it can only learn the inputs and outputs of the 
corrupted players, and, if it is active, only influence the inputs of the corrupted 
players. 

* Supported by FICS, Foundations in Cryptography and Security, Center of the Danish 
Research Council for Natural Sciences. 
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1.2 Brief History of MPC 

The MPC problem dates back to Yao [Yao82]. Independently Goldreich, Micali 
and Wigderson and Chaum, Damgard and van de Graaf [GMW87, CDG87] pre- 
sented solutions to the MPC problem. Their protocols provide cryptographic se- 
curity against a computationally bounded active adversary corrupting up to t < 
n/2 of the players. Later, unconditionally secure MPC protocols were proposed 
by Ben-Or, Goldwasser and Wigderson [BGW88] and Chaum, Crepeau and 
Damgard [CCD88] for the secure- channels model, where perfectly secure chan- 
nels are assumed between every pair of parties. These protocols have resilience 
t < n/3. Later Rabin and Ben-Or [RB89] and independently Beaver [Bea91b] 
presented protocols with resilience t < n/2 for the secure-channels model with 
broadcast channels. 

1.3 Previous Work on the Complexity of Secure MPC 

There has been substantial research on the complexity of secure MPC, both the 
round complexity and the communication complexity in messages and bits. 

As for the round complexity of secure MPC, it is now known that in a network 
without any setup any functionality can be computed securely in three rounds 
and that there exists functionalities which cannot be computed in two rounds 
without setup [GIKR02]. Furthermore, it is known that after an initial setup 
phase, any functionality can be computed in two rounds [GIKR02, CDI05] and 
that there exist functionalities which cannot be computed in one round even 
after a setup phase. Even though the resulta in [GIKR02, CDI05] only applies 
to a setting where the number of parties is relatively small, the above results go 
a long way in resolving the exact round complexity of secure MPC. 

As for the communication complexity, the picture is much more open, and 
we are far from knowing the exact communication complexity of secure MPC. 
The communication complexity of a protocol is measured as the total number of 
bits sent by all uncorrupted parties during the protocol execution. 

Very few results are known about the lower bound on the communication 
complexity, except those which follow trivially from known lower bounds on the 
communication complexity of Byzantine agreement — since the model of secure 
MPC requires agreement on the output, Byzantine agreement is a special case 
of secure MPC. For the upper bound on the communication complexity, much 
more is known. 

The seminal protocols with passive security tend to be very communication- 
efficient, in contrast to their active-secure counterparts, that require high com- 
munication complexities. The high communication complexities of active-secure 
protocols is mainly due to their intensive use of a Byzantine agreement primi- 
tive, which is to be simulated by communication-intensive broadcast protocols. 
The most efficient broadcast protocols for t < n communicate Q(n 2 £) bits for 
broadcasting an £-bit message [BGP92, CW92]. We denote the communication 
complexity for broadcasting an l-bit message by B(£). 
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Over the years, several protocols have been proposed which improve the ef- 
ficiency of active-secure MPC. In the cryptographic model (with t < n/ 2), all 
protocols presented so far [GV87, BB89, BMR90, BFKR90, Bea91a, GRR98, 
CDMOO, CDDOO] require every player to broadcast one message for each multi- 
plication gate. For a circuit with c gates, this results in a total communication 
complexity of £2(cnB(n)) = Q{cn 3 n), where k denotes the security parameter of 
the protocol. In the secure-channels model with broadcast with t < n/ 2, things 
are even worse: The most efficient protocol in this model [CDD+99] requires 
C(n 4 ) K-bit messages to be broadcast for every multiplication gate. 

In the secure-channels model with t < n/ 3, recently more efficient proto- 
cols were proposed [HMPOO, HM01]: The latter protocol requires only 0{n 2 ) 
broadcasts in total (independently of the size of the circuit), and communicates 
an additional 0(cn 2 ) bits in total. This result is based on the so-called player- 
elimination framework, where subsets of players with faulty majority are elimi- 
nated. This prevents corrupted players from repetitively disturbing and slowing 
down the computation. Unfortunately, the player-elimination framework cannot 
capture models with t < n/ 2: In order to reconstruct an intermediate value (a 
wire), at least t + 1 players are required. After eliminating a group of players 
with faulty majority, the remaining set of players does not necessarily contain 
t + 1 honest players (it might even contain only one single player), hence the 
remaining players cannot reconstruct intermediate results — and would have to 
restart the whole computation. 


1.4 Contributions 

We consider upper bounds on the communication complexity of active-secure 
MPC protocol in the cryptographic model with t < n/2 and passive-secure 
MPC protocols in the cryptographic model with t < n. The most efficient 
active-secure protocol for this model is the protocol by Cramer, Damgard and 
Nielsen [CDN01]. This protocol requires every player to broadcast 0(1) K-bit 
values for each multiplication gate in the circuit. When replacing the broadcast 
primitive by the most efficient broadcast protocol with resilience t <n / 2 known 
today (but unknown at the time when [CDN01] was published), this results in 
an overall communication complexity of 0(cn 3 n) for evaluating a circuit with c 
gates. The same upper bound for active security was proved by Jakobsson and 
Juels [JJOO] using similar techniques. 

We improve the upper bound for active security by constructing a new MPC 
protocol for the cryptographic model with resilience t <n/ 2: The new protocol 
requires every player to broadcast 0(1) K-bit values in total, i.e., during the 
whole protocol execution. Additionally, the players communicate 0(n 2 n) bits per 
multiplication over the normal channels. This results in a total communication 
complexity of 0(cn 2 n + nB ( k ) ) = 0(cn 2 n + n 3 n). If every party has just one 
input to the circuit, then c>n and 0(cn 2 K + n 3 n) = 0(cn 2 K). 1 

1 For simplicity we specify all bounds in the following for circuits with c = Q(n). 

Bounds for c < n are obtained by letting c = n. 
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The new protocol follows the basic paradigm of [CDN01], enhanced with ideas 
of [Bea91a] and [HMPOO] and several novel technical contributions. Our protocol 
essentially improves over the best known upper bound for active security by a 
factor n. 

Using a simple observation about threshold homomorphic encryption-based 
MPC protocols we also present a passive secure protocol with resilience t < n, 
communicating only 0{cnn) bits. This improves the best known upper bound 
for passive security, as given by the protocol of Franklin and Haber [FH96], by 
a factor n. 


2 Preliminaries 

In this section we discuss our model of security of protocols and we sketch the 
technical setting for threshold homomorphic encryption based MPC. The reader 
familiar with these issues can safely skip this section. 

2.1 Model 

We consider n players that are pairwise connected with authenticated open chan- 
nels and we assume synchronous communication. The adversary may corrupt any 
t of the players. All parties and the adversary are restricted to probabilistic poly- 
nomial time. We consider a static adversary, which corrupts all parties before 
the protocol execution. 

Specifying a multiparty functionality. We assume that the task to be realized is 
given by an arithmetic circuit with input, addition, multiplication, randomizing 
and output gates, all over some ring M. We consider reactive circuits where 
some input gates might appear after output gates. We assume that the circuit 
is divided into layers being either input layers, consisting solely of input gates, 
evaluation layers consisting of addition, multiplication, and randomizing gates, 
and output layers, consisting solely of output gates. An input gate G specifies 
its layer and the party that is to supply the value for the gate. A negation gate 
specifies its layer and a gate in a previous layer, from which it takes its input. 
An addition gate as well as a multiplication gate specifies its layer and two gates 
in a previous layer, from which it takes its input. An output gate specifies its 
layer and a gate in a previous layer, which is to be revealed. 

The ideal evaluation. To explain the multiparty functionality specified by a 
reactive circuit, it is convenient to image an ideal process, where the parties are 
connected to a fully trusted party with secure channels. The ideal evaluation of 
the circuit takes place in a layer by layer manner. For each input layer, for every 
gate specifying P* as the party to contribute the input, P, sends to the trusted 
party an input value v £ M over a secure line. If no value is sent, the trusted 
party sets v to be 0. For each evaluation layer, the trusted party computes values 
of all evaluation gates according to the circuit; Randomizing gates are set to be 
uniformly random values v M and addition gates and multiplication gates 
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are evaluated in the expected manner. For each output layer, the trusted party 
sends the value of all output gates in the layer to all parties. 

Notice that in the ideal evaluation an adversary controlling some set of cor- 
rupted parties can only achieve inevitable goals: Of information it only learns the 
output and the corrupted parties’ inputs and, if it is active, the only influence 
it can exert on the evaluation is changing the corrupted parties’ inputs to the 
function. 

The goal of a protocol for a circuit is to realize the same functionality in a 
real-life network. 

The real-life model. We assume that the network has a setup phase. In the setup 
phase a setup function s : {0, 1}* — > ({0, 1 }*) n+1 , r (p, si, . . . , s n ) is evaluated 
on a random input, and the value p is made public. The value s t is only given to 
the party P*. The reason for having a setup phase is that we will be interested 
in MPC protocols with active resilience t < n/2, and without a setup phase not 
even the Byzantine agreement problem [LSP82], which is a special case of the 
general MPC problem, can be solved with active resilience t < n/2. The function 
s is specified as part of the general protocol. In particular, s is not allowed to 
depend on the circuit. 

Defining security. There are many proposals on how to model the security of 
an n-party protocol, i.e. for what it means for a protocol to realize the ideal 
evaluation of a circuit. Common to most is that the real-life adversary can only 
obtain goals comparable to those of an ideal-model adversary, i.e. inevitable 
goals. 

The comparison of the protocol execution to the ideal evaluation is made by 
requiring that the complete view of an adversary attacking the protocol execu- 
tion can be simulated given only the view of an adversary attacking the ideal 
evaluation with the same corrupted parties. This captures exactly the idea that 
the information gathering and the influencing capabilities of the adversary in- 
clude nothing extra to that of which the adversary is entitled. This so-called 
simulation approach to comparing the protocol execution to the ideal evaluation 
originates in the definition of zero-knowledge proof in [GMR85] by Goldwasser, 
Micali and Rackoff. For the MPC setting the simulation approach is introduced 
by Goldreich, Micali and Wigderson [GMW87] and elaborated on in a large body 
of later work [GL90, MR91, Bea91b, BCG93, HM00, CanOO, CanOl]. Of these 
models, the universally composable (UC) security framework of Canetti [CanOl] 
gives the strongest security guarantees. When proving an upper bound it makes 
sense to consider the strongest security notion. The core model in [CanOl] is 
asynchronous, but contains hints on how to apply it to a synchronous setting as 
we consider here. This was e.g. done in [DN03] . It is straight-forward to formally 
cast our reactive circuit model in the model of [DN03], and we can prove all our 
protocols secure in this model. 

For the detail of proofs permitted in this extended abstract we will not need 
any formal details about this particular simulation model. The informal proof 
sketches given in subsequent sections can easily be extended to fully formal simu- 
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lation proofs using by now standard proof techniques for threshold homomorphic 
encryption based MPC, see e.g. [CDN 01 , DN 03 ]. 

2.2 Homomorphic Encryption Scheme 

In our protocols we assume the existence of a semantically secure (in the sense of 
IND-CPA [BDPR 98 ]) probabilistic public-key encryption function E z :MxI-> 
E, (to, a ) i — ► M, where Z denotes the public key, M denotes a set of messages, R 
denotes the set of random strings, and E denotes the set of encryptions. We write 
E instead of E z for shorthand. The decryption function is D z : E — > M, M i— > to, 
where 2 denotes the secret key. Again, we write D instead of D z . 

We require that E is a group homomorphism, i.e., E(mi, aq) 0 A (m2, 02) = 
E(mi + TO2,ai El <22) for the corresponding group operations + in M, IE in R, 
and 0 in E. We require that M is a ring Z M for M > 1 . The other groups can 
be arbitrary. 

In general we use capital letters to denote the encryption of the corresponding 
lowercase letters. For a £ N and BgE and aelwe write aB as a shorthand 
for B 0 • • • 0 B with a— 1 additions and we use a a as a shorthand for a 

with a — 1 multiplications. We use AqB to denote where —B denotes 

the inverse of B in E. 

We define a ciphertext-randomization function R : E x R — > E, (M, 7) 1— > 
(M 0 A( 0 , 7)). If M = E(m, a), then R(M, 7) = E(m, a Kl 7). If 7 is uniformly 
random in R and independent of a , then a K 7 is uniformly random in R and 
independent of a, so R(M, 7) will be a new independent, uniformly random 
encryption of to. We say that M' = R(M, 7) is a randomization of M. 

We also require that there exists a passive secure threshold function sharing 
of D z between n parties. I.e. for a given threshold t we split the decryption 
key z in n shares z \ , . . . , z n and there exists a share-decryption function SD Zi : 
E — > S, M 1 — ► TOj, where § denotes the set of message shares. And there exists 
a combining function C : §* +1 — > M, (to^, . . . , m^ t+1 )) 1— > to, with the property 
that if M = E z (m) and m® = SD Zi . (M) for i = 1 , . . . , t +1 and t + 1 distinct key 
shares z^, then to = C(m ( ' 1> , . . . . m^ t+1> ). We require that the semantic security 
holds even when the distinguisher is given any t decryption key shares prior to 
the distinguishing game. Furthermore, for all M = Ez(m), given M, m and 
any t key shares one can efficiently compute all decryption shares to* = D Zi (M) 
for i e {l,...,n}. This requirement is made to guarantee that no subset of 
the parties of size at most t learns anything from the other parties’ decryption 
shares, which they could not have computed themselves from the result of the 
decryption. 

Realizations. The probabilistic encryption function of Paillier [Pai 99 ], enhanced 
by threshold decryption [FPSOO, DJ 01 ], satisfies all required properties. This 
scheme has M = Zn for an RSA modulus N. A scheme satisfying the require- 
ments can also be build based on the QR assumption [CDN 01 , KY 02 ]. For this 
scheme M = Z2 . 
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2.3 Non-malleable Zero-Knowledge Proofs 

The passive secure protocol uses only a threshold homomorphic encryption 
scheme as described above. To add robustness and independence of inputs to 
the active protocol a number of zero-knowledge proofs of correct behavior and 
a non-malleable proof of knowledge are needed. In the following sections we re- 
fer to these proofs when they are needed. The proofs can all be realized with 
three round protocols with a total of O(k) bits of communication per proof. 
The scheme based on the QR assumption in addition needs the strong RSA 
assumption for the proofs to be realizable in O(k) bits. 

Details on how to realize the non-malleable zero-knowledge proofs can be 
found in e.g. [CDN01]. 

3 Active-Secure MPC Protocol for t < n/2 

In this section we present our upper bound on the communication complexity 
of an active-secure MPC protocol. The upper bound is given by a protocol. We 
first give an overview on this protocol, then present the required sub-protocols, 
and finally analyze the security and the communication complexity. 

3.1 Overview 

In the protocol description we use V = (Pi, . . . , P n } to denote the set of parties. 
We assume that the parties agree on the circuit before the protocol is run. 
The circuit is specified over the ring M of the encryption scheme with input 
gates, addition gates, multiplication gates, randomizing gates, and output gates. 
The proposed protocol can easily be modified to evaluate Boolean circuits, see 
Section 3.7 for details. In the simplest case, when the parties wish to evaluate 
a deterministic function, the circuit will consist of a layer of inputs gates, then 
the arithmetic gates necessary to evaluate the function, and finally the output 
gates. However, we also consider randomized gates, set to an unknown random 
values, and reactive circuits, where some players may receive output before some 
(other) players provide inputs. 

The proposed protocol follows Beaver’s circuit randomization ap- 
proach [Bea91a]: In a preparation phase, a pool of random triples (a, b, c), with 
c = ab, are generated, encrypted and distributed to all players. In the evaluation 
phase, for each multiplication one prepared triple is used. This approach brings 
two advantages: First, it might be simpler to generate random products (instead 
of multiplying two given values). Second, the load of the multiplication protocol 
is shifted to the preparation phase, where all triples are generated in parallel, 
and costs can be amortized. 

More formally, the protocol proceeds in three phases: 

Setup Phase: In the setup phase a random key pair (Z, z) is generated and 
the decryption key z is shared among the parties with threshold t, where 
t < n/2. 
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Preparation Phase: In a preparation phase, Cm random triples 
(a^, M*), cW) € M 3 (for i = 1 with c*- 1 -* = are gener- 

ated, encrypted, and given to every player in V, where Cm denotes the 
number of multiplication gates in the circuit. Furthermore, Cr random 
values rW g M (for i = 1 , . . . , c,r) are generated and encrypted, where cr 
denotes the number of random gates in the circuit. 

Evaluation Phase: In an evaluation phase, the gates of the circuit are 
processed level by level, associating to each gate a random ciphertext en- 
crypting the (output) value of the gate. The various gates are handled as 
follows: For each input gate, the designated input party broadcasts an encryp- 
tion of its input for that gate. Addition gates are handled non-interactively 
using the homomorphic properties of the encryption scheme. For each mul- 
tiplication gate one prepared triple from the preparation phase is used as 
described in [Bea91a]. For each randomizing gate, an encryption of a pre- 
pared random value is used. For the output gates, the ciphertexts are 
decrypted using the threshold function sharing of D z . 

In the subsequent sections we describe the phases of the protocol in detail, 
and finally analyze the overall complexity of the protocol. 

3.2 Setup Phase 

The setup function generates (( Z,pk , H),z\,..., z n ), where ( Z , z ) is a random 
key pair with z split into (z\ , . . . , z n ) with threshold t, pk is a random key 
for a non-malleable trapdoor commitment scheme, 2 and H is a random hash 
function chosen from a class of collision-resistant hash functions, which is used 
by a protocol described in the following section. The setup function also sets 
up digital signatures to allow to do Byzantine Agreement (BA) for resilience 
t < n/ 2, as discussed in Section 2.1. 

One could consider a simpler setup function which only sets up digital signa- 
ture keys. This allows to realize BA for resilience t < n/2, which in turn allows 
to run a secure protocol to compute the setup function for the remaining values. 
Either a specialized protocol or one of the general MPC protocols. In all cases 
this would add a term p = 0(po\y(n + k)) to our bounds, where p is independent 
of the circuit to be evaluated, giving a bound 0(cn 2 n + poly(n + k)). 


3.3 Preparation Phase 

The goal of this phase is to securely generate cm encrypted triples 

(AW, flW, CM) (i = 1 cm), where a^ and &W are uniformly random values 

from M unknown by all parties and c W = aW^W, and furthermore, to generate 
cr encrypted random values R,W (i = 1, . . . , Cr). 

The preparation phase proceeds in three stages: First, cm random fac- 
tors A^ 1 ), . . . , A(° M ) are generated. Second, the factors B^\ . . . , and the 

2 To be used in the non-malleable zero-knowledge proofs (see [CDN01]). 
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products C ^\ . . . , C( CM ) are computed in parallel. Third, the random values 
R^\ . . . , R i ' CR) for the randomizing gates are prepared. 

In each stage, every player in V contributes to the generation of the values. 
However, not all these contributions will be considered. Instead, the players in 
V agree on a subset P ok C V with the following two properties: (1) Every player 
in P ok successfully verified the contribution of every other player in P ok , and (2) 
the majority of the players in P ok is honest. Given both properties are satisfied, 
the output of the stage (so far known only to P ok ) can easily be made known 
to the players in V \ P ok . This interim reduction of the player set is similar to 
the player elimination framework of [HMPOO] , but opposed to this, can also be 
applied to settings with t < n/2. 

For the sake of easier presentation, we use a vector notation: We denote 
the triples by (A, B, C ) and the random values by R. Furthermore, we extend 
all operators on group elements also to vectors of group elements, where the 
semantics is component-wise application of the operator. 

Prepare cm Random Ciphertexts A. We first present a protocol to generate 
a single random encryption A, and will then extend it to generate Cm random 
ciphertexts A at once. The protocol proceeds as follows: 

1. Every player Pi GV selects at random a, g M and computes an encryption 

Ai = E(oi). 

2. Every player Pi g V sends A t to every player Pj g V, and proves to Pj 
interactively that he knows the plaintext of Ai . 

3. Every player Pi broadcasts the hash value hi = H(Ai) among all players in 
V, where H denotes the collision-resistant hash function defined in the setup 
phase. 

4. Initially we set the set of mutually agreeing players to P ok = V- Then, in 
sequence, every player Pj g V 0 k verifies for every player Pi g P ok whether 

— the broadcast hash value hi matches the received encryption Ai, i.e., 
hi = H(Ai), and 

- the bilateral interactive proof by Pi is accepting for Pj. 

If Pj' s verifications succeed for all players Pi g P ok , then Pj broadcasts T 
to confirm so. Otherwise, Pj picks the index i of some player Pi g P ok that 
failed in Pj ' s verification, and broadcasts i. In the latter case, both players 
Pi and Pj are removed from the set P ok of agreeing players, i.e., all players 
set P ok <- P ok \ {Pi, Pj}. 

5. Every player Pj g P ok sets A = 0 p t e -p ak A t and sends it to every p g P\P ok . 

6. Every player Pi g P\P ok sets A as the majority of received values by players 
in P 0 k- 

We first argue that at the end of the protocol, all players in P hold the same 
encryption A, and then, that the plaintext of A is unknown to the adversary. 
One can easily verify that all honest players in P ok compute the same value A 
(otherwise they hold a collision of H). Furthermore, the majority of players in 
Po k is honest (at least half of the removed players P\P ok is corrupted), hence in 
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Step 5, the majority of players Pj £ P 0 k distributes the correct value A, and all 
players in V will decide for the same value A. In order to argue about the secrecy 
of the plaintext of A, observe that at least one player in P G k is honest and chooses 
Oj uniformly at random. Since the encryption scheme is semantically secure 3 and 
the proof of plaintext knowledge for a* is zero-knowledge, the protocol reveals 
zero knowledge about o» to the corrupted parties. 4 * * * Since all (corrupted) parties 
Pj € 'Pok gave a non-malleable proof of plaintext knowledge of their contribution 

а, j, and this proof was accepted by all parties in P Q k (at least one of them 
being honest), their shares aj are independent of the share a*. It follows that 
A is an encryption of a uniformly random value 11 ~ Sig-p ok a* of which the 
adversary has zero knowledge. This informal sketch of the security can be turned 
into a formal simulation proof using known proof techniques, see e.g. [CDN01, 
DN03]. 

In order to generate cm random ciphertexts A, the above protocol is slightly 
modified: 

1. Every player Pi £ V selects at random a) £ M CM and computes its 
component- wise ciphertexts Aj. 

2. Every player Pi £ V sends A t to every player Pj £ P, and proves to Pj 
interactively that he knows the plaintext of each component of Ai. 

3. Every player Pi broadcasts the hash value hi = H(Ai) among all players in 
P. 

4. Set P 0 k = P and, in sequence, every player Pj £ P Q k verifies for every player 
Pi € P 0 k whether 

- the broadcast hash value hi matches the received ciphertexts A i: i.e., 
hi = H(Ai), and 

- all the bilateral interactive proofs by Pj are accepting for Pj. 

If Pj ' s verifications succeed for all players Pj £ P Q k, then Pj broadcasts T 
to confirm so. Otherwise, Pj picks the index i of some player Pi £ P Q k that 
failed in Pj ' s verification, and broadcasts i. In the latter case, both players 
Pi and Pj are removed from the set of agreeing players, i.e., all players set 

Pok Pok \ {Pi, Pj}- 

5. Every player Pj £ P Q k sets A = ©p. e -p ok A t and sends it to every Pi £ P\P 0 k- 

б. Every player Pi £ P\P 0 k sets A as the majority of received vectors by players 
in Pok- 


3 Notice that the fact that the decryption key is shared between the parties is no 
problem for the semantic security as the adversary can inspect at most t parties; 
Since the decryption key is shared with threshold t, the t shares known by the 
adversary gives zero knowledge about the decryption key. 

4 Here we colloquially distinguish between information and knowledge. Since A, de- 

termines ai clearly the adversary has full information about a,. However, by the 

semantic security and the fact that the adversary is polynomial time bounded, it 

has zero knowledge about dj. 
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The security of this protocol follows immediately from the security of the 
previous protocol. The communication complexity of the protocol is 0(cmti 2 k + 
nB{n)) bits. 

Prepare Random Ciphertexts B and Products C. The B and C values of 
the triples are generated similarly to the A values. For the sake of simplicity, we 
present solely the protocol for generating a single triple. The generalization to 
vectors of triples is straight-forward along the lines of the protocol for generating 
A. 

1. Every player Pi & V selects at random 6* e M, computes B, = E(6, : ) and 

Ci = 'R(bjA). 

2. Every player Pi £ V sends Bi and Cj to every player Pj £ V , and proves 
to Pj interactively that he knows the plaintext 6, of P,;, and that Cj is a 
randomization of 6jA 

3. Every player Pj broadcasts the hash value hi = H(Bi,Ci ) among all players 
in V. 

4. Set P 0 k = P and, in sequence, every player Pj £ P ok verifies for every player 
Pi G P 0 k whether 

— the broadcast hash value hi matches the received ciphertexts (B l: C\), 
i.e., hi = H(Bi,Ci), and 

- all the bilateral interactive proofs by Pj are accepting for Pj. 

If P/s verifications succeed for all players Pj £ P ok , then Pj broadcasts T 
to confirm so. Otherwise, Pj picks the index i of some player Pi £ P ok that 
failed in P/s verification, and broadcasts i. In the latter case, both players 
Pj and Pj are removed from the set of agreeing player, i.e., all players set 
Pok - Pok \ {Pi, Pj}. 

5. Every player Pj £ P ok sets B = ®p i£ p ok P ; ;. and C = ©p >( =p ok A* and sends 
them to every P, £ V \ P ok . 

6. Every player Pj e P \ P 0 k sets B and C to be the majority of received values 
from players in P ok . 

The correctness of the resulting triple ( A , B, C) follows directly from the 
distributive law in groups. The security of the protocol can be argued along the 
lines of the proof of the previous protocol. 

The above protocol can be extended to vector-values in a straight-forward 
manner. The communication complexity of the extended protocol is 0(cM'n 2 n + 
nB{n)) bits. 

Prepare cr Random Values R. The random R vector is prepared exactly as 
the random A vector, only the corresponding B and C vectors are not generated. 

3.4 Evaluation Phase 

In the evaluation phase, the circuit is evaluated layer by layer. In the following, 
we give the protocols for evaluating the different types of gates. 
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Input Gates. When a party Pj is to provide an input for some gate G, the 
parties proceed as follows: 

1. Pi computes Vi = E(i>j) broadcasts V.. 

2. Pi bilaterally proves (in zero- knowledge) knowledge of plaintext v t to every 
player Pj £ V. 

3. Each Pj e V, lets bj = 1 if the proof from Pi was accepted and lets bj = 0 
otherwise. 

4. The parties in V run a BA with input bj from Pj. Let the output be b £ {0, 1}. 

5. If b = 1, then each Pj £ V sets the encryption for gate G to be the broadcast 
value V); Otherwise, Pj sets the encryption for gate G to be E( 0, e), where 0 
and e denotes the neutral elements from M respectively M. 

After this protocol the input gate is defined to the same value by all parties. 
The proof of knowledge given by P, serves the purpose of guaranteeing indepen- 
dence of inputs. The privacy of the protocol follows from the semantic security 
of the encryption scheme, using that the proofs are zero-knowledge. 

Using that the communication complexity of one zero-knowledge proof is 
O(k), the communication complexity for giving one input is seen to be 0(B(k) + 
hk + B( 1)). Assuming that B(k) > nn, this is 0(B(k)). 

Output Gates. When the value of some gate G (with associated ciphertext 
M) is to be revealed towards a party Pj, the parties proceed as follows: 

1. Every player Pi £V computes m, = SD Zi (M) and sends it to Pj. 

2. Every player Pi £ V gives a zero-knowledge proof to every other party Pj 
that rrij is a correct fth decryption share. 

3. Pj collects t + 1 decryption shares for which the proof of correct decryption 
share succeeded and combine them to obtain to = D(M). 

Since at least t + 1 parties are honest, Pj will be able to collect t + 1 shares 
where the proof succeeded. By the soundness of the zero-knowledge proof all 
collected shares will be correct, except with negligible probability. By the way 
the values (zi , . . . , z n ) were set up and the requirements on the share combining 
algorithm have that indeed to = D Z (M). 

The privacy of the protocol follows from the requirements on the threshold 
decryption protocol: from the result of the protocol and the key shares of the 
t corrupted parties, the adversary could compute the key shares of the honest 
parties on its own. Therefore the protocol leaks zero knowledge about the key 
shares of the honest parties. 

The communication complexity is seen to be 0(tik ) per output gate and party 
to learn the output. If all parties are to learn the output, the communication 
complexity is 0(ti 2 k) per output gate. 

If only one party is to learn the output and the output should be private, 
the decryption shares sent to Pj should be sent over private channels. This does 
not affect the order of the communication complexity. 


Addition Gates. For an addition gate G where the input gates of G has 
associated ciphertexts Mi and M 2 , the associated ciphertext of G is set to be 
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Mq = Mi ® M 2 . As the ©-operator is deterministic, all parties agree on the 
encryption Mg, and by the homomorphic properties of 0 it holds that D(Mg) = 
D{Mi) + D(M 2 ). 

Multiplication Gates. For a multiplication gate G where the two input gates 
have associated ciphertexts Mi and M 2 , the associated ciphertext Mq of G is 
computed as follows: 

1. Every party P* &V picks the prepared triple (A, B. C) that is associated with 
the gate. 

2. Every party Pi e P computes D = A ® Mi and E = B ® M 2 . 

3. Every party Pi £ V invokes the decryption protocol from Section 3.4 on D 
and E. Denote the results by d respectively e. 

4. Every party sets Mq = (eMi) 0 (dB) ® C. 

The above way to use a prepared triple is from [Bea91a] . 

We argue that the protocol maintains agreement on the associated cipher- 
texts. Assume that the parties agree on Mi and M 2 . By the fact that 0 is a 
function, the parties will agree on D and E. Therefore the decryption protocol 
will return correct and consistent d and e values to the parties. Using that : |g| ; 
and © are functions it then follows that the parties will agree on Mg- 

We then argue the correctness of the protocol. By the correctness of the 
decryption protocol and the homomorphic properties of © and 0 we have that 
D{Mg) = emi—db+c = (6+m 2 )mi — (a+mi)b+ab = rnim 2 , where mi = D{M{) 
and to 2 = .D(m 2 ). 

For the privacy, the only values that are revealed are d and e. However, since 
a and b are independent, uniformly random elements from M unknown to any 
adversary which inspects at most t parties, it follows that d and e are uniformly 
random and independent of mi and m- 2 in the view of the adversary. Therefore 
the protocol leaks zero knowledge about mi and m 2 . 

The communication complexity per gate is that of two invocations of the 
decryption protocol, i.e. 0(n 2 K). 

Randomizing Gates. When the circuit is evaluated, the randomizing gates 
should be initialized by uniformly random values. To reflect the ideal evalua- 
tion the random values used for initialization should be unknown to all parties. 
Therefore, to every random gate, one random encrypted value /?.W is associ- 
ated. 


3.5 Complexity Analysis 

In this section we consider the complexity of the active-secure protocol. Sum- 
ming the complexities stated in the presentation of the protocol gives us a total 
complexity of 0(((cm + cr)ti 2 k + nB(n)) + ciB(k) + con 2 k + cmh? k), where cm 
denotes the number of multiplication gates, Cr denotes the number of randomiz- 
ing input gates, cj denotes the number of input gates, and co denotes the number 
of output gates. This is seen to be 0((cm + cr + co)n 2 K + nB{n) + cjB(k)). 
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In the synchronous model with t < n/2, broadcasting (and/or doing BA on) a 
total of £ bits can be done with complexity 0(n 2 l + n 3 n) under the strong RSA 
assumption and the assumption the RSA signatures are secure (c.f. [Nie03]). 
We have n + c/ broadcasts of K-bit messages, giving £ = (n + ci)k and (a 
bit informally) nB{n) + ciB(k) = 0(n 2 (n + ci)k + n 3 n ) = 0(cin 2 K + n 3 n). 
This immediately gives us the bound 0((cm + cr+co + ci)ti 2 k + n 3 n) on the 
communication complexity of the overall protocol. 

Theorem 1. Under the QR assumption (or the DCR assumption), the strong 
RSA assumption and the assumption that RSA signatures are secure, 0(cn 2 K) 
is an upper bound on the communication complexity of an active-secure protocol 
with resilience t < n/2 for evaluating an n-party function with arithmetic circuit 
complexity c>n. 

3.6 Ongoing Computations 

The result for active security assumes that the size of the circuit is known before 
the computation starts, to allow for a preparation phase. For an on-going reactive 
computation, even the circuit might be specified as the computation unfolds and 
in particular the length of the computation might not be specified on beforehand. 
Our result can be extended to such a setting. We simply hold a pool of prepared 
triples, and each time it dries out we prepare at least twice as many triples as last 
time. After polynomially many activations, this gives a maximum of 0(log(re)) 
runs of the preparation phase and prepares at most twice as many triples as 
needed. This gives the bound 0(cn 2 n + n 3 n log(«)). 

3.7 Boolean Circuits 

The proposed protocol evaluates a circuit of arithmetic gates, where the under- 
lying ring is the message space of the encryption scheme. We can extend the 
protocol to evaluate a Boolean circuit, even when the message space of the en- 
cryption scheme is larger (e.g., when using Paillier encryption). In the sequel, 
we present the necessary modifications for Boolean circuits over AND and NOT 
gates. The protocol for Boolean circuits has the same communication complexity 
as the protocol for arithmetic circuits. 

Input gates. In the input protocol, the player providing input must prove that 
the input is in {0,1}. Therefore, the zero- knowledge proof for proving plaintext 
knowledge is augmented by a zero-knowledge proof for proving that the plaintext 
is either 0 or 1. 

AND-gates. As it is guaranteed that all wires are encryptions of either 0 or 1, 
AND-gates can be realized as multiplication gates. 

NOT-gates. A NOT-gates can be computed by using the homomorphism of the 
encryption scheme. Given an encrypted bit B, its negation can be computed 
as E(l) 0 B. Every player can compute the encrypted value of a negation gate 
locally, without communicating with other players. 
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Randomizing gates. It must also be ensured that the output of randomizing 
gates are in {0, 1}. If M >2 (as is the case for Paillier’s cryptosystem), and we 
want to stay within the new upper bound, a new protocol is needed for this. 

0. Let fC ( b = E(0, e) be a constant vector of length cr, where each element is 
the constant encryption E(0, e). Let P„k = V, let Pdone = 0, let i prev = 0, let 
fnext = 1 and let Prev be an empty stack. 

1. Pj next computes R <ln ^ t > from w - 1 prev ) as follows: For each element R^ 1 prev ) in 
R(- z prev), pick a Gr R and b Gr {0,1} and, if b = 0, let R ^ 1 next ) = E(0,a) ® 
^(W), and if 6=1, let £>( ine *‘) = E(l, a) 0 $(W). 

2. P inext broadcasts the hash value /i, = H(w lneM ' > ) among all players in V. 

3. Fj next sends P^-ext) to every player Pj gV, and gives to Pj (for each element 

jjbprev) j a non-malleable zero- knowledge proof of knowledge of a for which 
either = E(0, a) © £(*p"v> or R^) = E(l, a) 0 R^). 

4. The parties V enter a BA on whether to accept the proofs given by f\ iexl : 
Each party Pj G V enters with bj = 1 iff in the above step it received R(' ln ™t) 
such that hi = H (w lnext ^) and the bilateral proof from Pj next to Pj was 
accepted. 

5. - If the outcome of the BA is b = 0, then all parties in V set P Q k = 

Pok \ {*next} and set «next to be the smallest % G Pok \ Pdone- 
— If the outcome of the BA is b = 1, then all parties in P set Pdone = 
Pdone U {inext}, push * prev on Prev, let iprev = Wxt and set * nex t to be 
the smallest i G P 0 k \ Pdone- 
In both cases, if P Q k \ Pdone = 0 , then go to Step 8. 

6. The party P, next broadcasts a bit b G {0, 1}, where 6 = 0 iff < prev ^ 0 and 
-^next never received R^ 1 prev ) such that h iprev = H(R^ 1 p rev ^) (in Step 3). 

7. — If i pr ev = 0 or p next broadcast 1, then all parties in P go to Step 1. 

— If i pr ev 7^ 0 and Pi next broadcast 0, then all parties set P Q k = Pok \ 
{*prev, inext}- Then i pre v is set to be the top of Prev (which is then popped) 
and inext is set to be the smallest i G P 0 k \ Pdone (if Pok \ Pdone = 0, then 
go to Step 8.) Then all parties in P go to Step 6. 

8. All parties in P which knows W- 1 prev ) such that /i,; prev = H{R l ' lprev ' 1 ) sends 
p(* p rev) to all parties. 

9. All parties in P waits for a value Rf^p^) f or which /i,; prev = H(w l],rev )) to 
arrive and outputs R^ 1 prev i. 

We first argue termination and agreement: It is straight-forward to verify that 
the procedure reaches Step 8. Since at this point P,; prev at some point broadcast 
hjprev an d had its proof accepted by a majority of the parties in P, at least 
one honest party must have received iT® prev ) such that A prev = H(R < - lprev> ). At 
least that party will echo R^ 1 prev ) in Step 8 and thus all parties will terminate in 
Step 9. Since /i, prev is a broadcast value, all parties will output the same value 
.Rbprev) unless a collision under H is found. 
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We then argue that P (lp,ev ) is a vector of encryptions of random bits of 
which the adversary has zero knowledge. At termination we clearly have that 
P 0 k C 'Pdone- Furthermore, at termination V 0 k will contain a majority of honest 
parties and there exists a sequence io = 0 < ii < • • ■ < ii-i < ii < n such that 

P Q k = {*i> • ■ • j k} and for to = 1 , l. the vector /A™) was computed by Pj m 

from R( 1 ™- 1 ') as specified in Step 1. Since the proof of knowledge ensures that 
each party “flips” the encryptions independently and at least one party in P 0 k 
is honest it follows that is a vector of encryptions of independent random 
bits unknown to the adversary. 

Each party broadcasts (at most) k bits in Step 2 and one bit in Step 6. 
Besides this n BAs are executed and each party Pj next sends the vector P (t,,ext) 
to all parties and gives the non-malleable zero-knowledge proofs of knowledge 
in Step 3. Assuming that B(k) dominates the cost of one Byzantine agreement, 
the total communication complexity of this is 0(cRn 2 K + nB ( k) ) , as desired. 

The above protocol can be seen as a strengthening of the protocol used in the 
original preparation phase to deal with large values being build sequentially from 
large contributions from all parties. Similar protocols can be used to prepare 
c gates for the Mix-and-Match protocol in [JJOO] with complexity 0(cn 2 K + 
nB(n)) and for mixing c ciphertext in anonymizing networks and voting (with n 
servers) with complexity 0(cn 2 K + nB{n)). In both cases an optimization over 
9{cnB{K)) = 0 (cu 3 k). 

4 Passive- Secure MPC Protocol for t < n 

In this section we present an upper bound on the communication complexity of 
a passive secure MPC protocol. Again the upper bound is given by a protocol. 
As opposed to the active secure protocol, the passive protocol is not based on 
novel technical contributions but rather a neat observation. 

The essential observation is that from the threshold homomorphic encryp- 
tion based MPC protocol of [CDN01] each gate has a short publicly known 
representation, namely the associated encryption. This is opposed to e.g. secret 
sharing based protocols, where the representation is exactly shared among the 
parties and therefore inherently large (<9(n«)). This observation allows to des- 
ignate some party Pking which drives the protocol and evaluates the circuit gate 
by gate, with help of the other parties. 

The protocol proceeds along the lines of the active protocol, though no prepa- 
ration phase is needed anymore. The details are given below. 

Setup phase. In the setup phase the setup function s generates a random key 
pair (Z, z), splits z into ( 2-1 , , z n ) with threshold t = n — 1, sets p = Z and 
sets Si = Zi for * = 1, . . . , n. Furthermore one designated party Pki ng is chosen, 
called the king, e.g. Pking = Pi- 

Input gates. When a party Pi is to provide the input Vi e M, the parties proceed 
as follows: 
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1. Pi selects a.i Gr R, computes and sends Vi = E(vi,ai) to Pking- 

2. Pking sends V, to all parties. 

The privacy of the protocol follows from the semantic security of the encryp- 
tion scheme. 

Output gates. The value of some gate G with associated ciphertext M is revealed 
as follows: 

1. Every party P,; computes and sends m,; = SD Zi (M ) to Pki ng - 

2. Pking computes to = C{rn\ , . . . , m n ) and sends it to all parties. 

The security of this protocol is argued along the lines of the active-secure 
protocol. The communication complexity is 0(nn). 

If the value is to be revealed privately to only one party Pj, then the 
parties send their decryption shares to* privately to Pj, who computes to = 
C(rn u ...,m n ). 

Addition gates. The king computes the value of addition gates using the homo- 
morphism of the encryption scheme. 

Multiplication gates. For a multiplication gate G where the two input gates 
have associated ciphertexts Mi and M 2 , the associated ciphertext Mg of G is 
computed as follows: 

1. Every party Pi G V selects a* Gr M, a*,/?* Gr R, computes A, = E (a*, cc*) 
and Ci = M.(aiM 2 ,Pi), and sends Ai and (7* to Pk ing - 

2. Pking computes A = Mi 0 P . eP A, : and C = © P . e -p C* and sends A and C 
to all parties, 

3. Every party Pi GV computes its decryption share a* = SD Zi (A ) and sends 

it tO P king - 

4. Pking decrypts a = C(a ±, . . . , a n ), computes Gm = aM 2 0 C and send it to 
all parties. 

The security is argued as for the active-secure protocol. The communication 
complexity is 0(nn). 

Randomizing gates. An encryption of a random value to, unknown to the ad- 
versary, is computed as follows: 

1. Every party Pi G V selects ai G M, a* G R, computes A* = E(aj,aj) and 
sends it to Pki ng - 

2. Pking computes A = 0 P . eP A z and sends it to all parties. 

Complexity analysis. It is straight forward to verify that the total number of 
bits sent by the parties is 0((ci + cm + co + CR)nK). 

Theorem 2. Under the QR assumption (or the DCR assumption), 0{cnn) is an 
upper bound on the communication complexity of a passive secure protocol with 
resilience n — 1 for evaluating an n-party randomized function with arithmetic 
circuit complexity c. 
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5 Conclusions and Open Problems 

We presented new upper bounds on the communication complexity of optimally 
resilient active-secure MPC and optimally resilient passive-secure MPC. In both 
cases we improved the previously best bounds by a factor n. The improvement of 
the bound for active security was based on a combination of previous techniques 
for efficient MPC along with several novel technical contributions, as opposed to 
the improvement of the bound for passive security, which was based on a simple 
observation. 

Our bounds were based either on the DCR assumption or on the QR as- 
sumption (in both cases requiring, additionally the strong RSA assumption and 
the assumption that RSA signatures are secure for active security). Even though 
these assumptions are standard assumptions, they are very specific. It is an in- 
teresting open problem to achieve the same bounds under general assumptions, 
as e.g. the existence of one-way functions. One approach would be to investi- 
gate the efficiency of active-secure information-theoretic MPC with t < n/2. It 
is known that the player elimination framework does not apply to this thresh- 
old [HMPOO, HM01]. The ideas presented here might however allow to obtain 
similar results in this model. The new upper bound for passive security however 
seems very challenging to obtain under general assumptions. 

It is an interesting open problem to obtain the new bound for also adaptive 
security. In [DN03] an adaptively secure version of the protocol from [CDN01] 
was presented. However, the techniques from [DN03] do not allow to make our 
protocol here adaptive secure while staying within the bound 0(cn 2 K + h 3 k). 
We stress that although our protocol cannot be proven adaptively secure (we 
cannot construct a simulator), there is no obvious way for an adaptive adversary 
to violate the correctness or the security of the computation. This is in contrast 
to some folklore trick for improving efficiency, namely to have the players agree 
on a small random subset of players, who then perform the whole protocol. 5 
In this approach, an adaptive adversary can trivially violate both privacy and 
correctness of the protocol, simply by corrupting the majority (or even all) of 
the players in the subset, once this is randomly chosen. 

Another interesting open problem is to prove non-trivial lower bounds on the 
communication complexity of secure MPC. 
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Abstract. We present generic frameworks for constructing efficient 
broadcast encryption schemes in the subset-cover paradigm, introduced 
by Naor et.al., based on various key derivation techniques. Our frame- 
works characterize any instantiation completely to its underlying graph 
decompositions , which are purely combinatorial in nature. This abstracts 
away the security of each instantiated scheme to be guaranteed by the 
generic one of the frameworks; thus, gives flexibilities in designing 
schemes. Behind these are new techniques based on (trapdoor) RSA ac- 
cumulators utilized to obtain practical performances. 

We then give some efficient instantiations from the frameworks. Our 
first construction improves the currently best schemes, including the one 
proposed by Goodrich et.al., without any further assumptions (only pseudo- 
random generators are used) by some factors. The second instantiation, 
which is the most efficient, is instantiated based on RSA and directly im- 
proves the first scheme. Its ciphertext length is of order O(r), the key size 
is 0(1), and its computational cost is 0(n 1,/fe log 2 n) for any (arbitrary 
large) constant k\ where r and n are the number of revoked users and all 
users respectively. To the best of our knowledge, this is the first explicit 
collusion-secure scheme in the literature that achieves both ciphertext size 
and key size independent of n simultaneously while keeping all other costs 
efficient, in particular, sub-linear in n. The third scheme improves Gen- 
try and Ramzan’s scheme, which itself is more efficient than the above 
schemes in the aspect of asymptotic computational cost. 

Keywords: Broadcast Encryption, Revocation Scheme, Subset-cover, Op- 
timal Key Storage. 


1 Introduction 

Broadcast encryption (BE) involves 1 broadcaster and n receivers. Each receiver 
is given a unique private key. The broadcaster is given a private broadcaster 
key. The broadcaster wishes to broadcast messages to a designated set P C N = 
{1, ..., n} of receivers. Any receivers in P should be able to decrypt the broadcast 
message using only its private key while a coalition F C N \ P (revoked users) 
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should not be able to do so. Such a scheme is motivated largely by pay-TY 
systems, the distribution of copyrighted materials such as CD/DVD. Broadcast 
encryption schemes were first formalized by Fiat and Naor [13]. Since then, many 
variants of the basic problem were proposed. The arguably most challenging 
variant is the one which considers the case where P can be an arbitrary subset 
in N while the collusion is considered the full one, N \ P, and also that the 
private key stored by each user is fixed from the initialization time (stateless 
receiver). The main goal is to construct efficient schemes that satisfy the above 
variant and require only small size of both the header of broadcast and the 
private key as a function of n or r := n — \P\. The header is the encapsulation 
of session key that is used to encrypt data. 

An efficient solution which is considered a ground work to many consequences 
is the Complete (binary) Subtree scheme (CS) by Naor et al. [18]. Schemes 
which were considered the current state of the art (before two very recent works, 
see below) are: (i) Pseudo-random sequences generator (PRSG) based schemes 
such as the Subset Difference scheme (SD) [18], its refinement-the Layered SD 
scheme (LSD) [14], and their somewhat generalizations in [4]. (ii) RSA accumu- 
lator based schemes such as Asano’s scheme [2], and its optimal generalizations 
in [3,11]. See Table 1 for the efficiency comparison. No scheme above could 
achieve simultaneous small header size independent of n, small key size of or- 
der O(logn), while keeping computational cost and all other costs grow only 
sub-linear in n. 

More recently, Goodrich et al. [12] and Wang et al. [20] independently pro- 
pose more efficient schemes that break the above barrier. In particular, they 
achieve simultaneously header size of order O(r) and key size of O(logn), and 
computational cost of 0(n 1//fc ) for arbitrary constant k. (In fact, in [20] only the 
case when k = 1, 2 is considered). 

In this paper, we propose generic frameworks for constructing broadcast en- 
cryption and give some efficient instantiations. One of our instantiations 
(Instantiation 2 in Table 1) achieves not only small header size as of order 0(r) 
but also small key size as 0(1) with no extra non-secret storage, while keep- 
ing computational cost 0(n 1//fc log 2 n) which grows only sub-linear in n. Thus 
this is the first scheme that achieves header and private key size independent 
of n while keeping computational cost sub-linear in n, with no extra non-secret 
storage. The contributions in more detail are described below. 


1.1 Our Contributions 

In the general subset-cover paradigm of [18], which includes almost all of the 
above schemes, it has been implicitly understood that one can separate the design 
of such a scheme into two seemingly orthogonal problems namely: designing 
combinatorial set system which enables subset covering (this step determines the 
header size), and defining computational key derivation (this step determines the 
private key size and computational cost). This is first explicitly characterized by 
Gentry-Ramzan [11] for the case of Akl- Taylor’s RSA based key derivation [1]. 
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Table 1. Comparison among previous schemes and our instantiations, (k is an arbitrary 
parameter, a is an arbitrary constant). 



Header size 
Complexity < 

Priv. key size 

Comp, cost (bit complexity) 
Prime-gen Others 

CS [18] 

0(rlog(£)) 

log n + 1 

O (log log n) 

PRSG or OWF 

-based 1 



SD 18 

0(r) 2r— 1 

0( log^ n) 

O(logn) 

LSD 14 

0(r) 2 kr-k 

0(log 1+1/fc n) 

O(logn) 

GST04 12 

0(r) 4kr 

2 log n 

0(n}/ k ) 

WNR04 20 

0(r) 4r 

2 log n 

o&v*) 

Instantiation 1 

0(r) 2 kr 

< log n + 1 

- 0(n 1/k ) 

Asa no [2] 

IO(HogJ(f^^^* 

I 

0(2“ log“ n ) 0(2“ log^ n) 

GR04 [11] 

°(r 1 og a (5)+r) 

1 

0(alog°n) O(alog^n) 

Instantiation 3 

0(rlog a (^)+r) 

1 

0(1) O(alogn) 

(SD) acc 

0{r) 2r— 1 

1 

0(n log 4 n) 0(n) 

Instantiation 2 

O(r) 2 kr 

1 

0((log 5 n)/k 5 )0((n 1/k log 2 n)/k) 


Framework. In this paper, we characterize the two orthogonal components 
in general. We then explicitly present three generic sub-frameworks for com- 
putational key derivation component ( generic as arbitrary set systems are ap- 
plicable): PRSG based technique (re-formalizing from [4] so as to be consistent 
with presentations here), non- trapdoor- and trapdoor- RSA Accumulator based 
techniques. The non-trapdoor RSA based one is a new optimal generalization of 
Akl-Taylor’s technique and is further improved by the trapdoor RSA based one. 

The main issue is that we characterize three sub-frameworks so that such 
instantiations in these frameworks and their resulting efficiencies will depend 
solely on properties related to graph decompositions of the set systems being 
instantiated; while in the same time the security will be guaranteed automatically 
from the general frameworks. The PRSG based framework will be based on 
tree decomposition , and the two RSA based frameworks will be based on chain 
decomposition ; both are purely combinatorial. Therefore the whole paradigm 
abstracts away the computational security issues and reduces the problem to 
only pure combinatorics. Moreover it allows modularity in designing a scheme: 
it is a matter of finding a set system which yields a good header size in the first 
step, and then finding a graph decomposition of that set system that yields a 
good private key size and computational cost. 

As for the generic efficiency characterization, both RSA based frameworks 
achieve key size of 0(1) for all instances. One generic property of the trapdoor 
based framework that makes it superior to the non-trapdoor based one is that 
when restricting to the same asymptotic resources and instantiating the same 
set system (or to be more precise, its hierarchical version and itself respectively), 
if the non-trapdoor based one allows n users in the scheme, then the trapdoor 
based one will allow n h users for any (arbitrary large) constant k. Indeed, the 
costs due to prime generation are exactly the same (not only asymptotically). 



Graph-Decomposition-Based Frameworks 103 


Efficient Instantiations. For the combinatorial set system component, all of 
our schemes are based on new set systems we call Subset Incremental chain (SIC) 
and Layered-SIC (LSIC) which are designed so to achieve small header size as 
being O(r) while intrinsically have graph decompositions with good properties. 
For the computational key derivation component, we instantiate the LSIC set 
system by presenting their graph decompositions, resulting in various concrete 
schemes upon each sub-framework as follows. We use the notation (X) y to denote 
an instantiation of the set system X using the y-based framework. Denote LSIC[fc] 
as LSIC with parameter k. Note that LSIC[1] = SIC. 

Instantiation 1 : (LSIC[fc]) prsg . This scheme directly improves the scheme of [12,20] 
(and it is fair to compare with since the same assumption, PRSG, or equivalently 
one-way function, was used). In particular it can reduce some overheads, albeit 
only within constant terms in the worst case: the worst-case key sizes are half of 
those in [12,20]. Indeed the key size in our scheme is non-uniform among users; 
some users are even required to store only constant-size keys (cf. Theorem 4, 6, 
and Eq.(4)). Our scheme also reduces the computational cost from [12], but only 
in the average case (the worst-case costs are asymptotically the same). 

Instantiation 2 : (LSIC[fc]) acc , (LSIC[/c]) tacc . Note that (t)acc is for (trapdoor) ac- 
cumulator. The performance of this scheme is as mentioned previously. It is the 
first scheme that achieves header and private key size independent of n while 
keeping computational cost sub-linear in n, with no extra non-secret storage. 
The number of primes used per user is optimal as being O(logn) for (LSIC[k]) acc 
and further reduced to 0((log n)/k) for (LSIC[k]) tacc (so that the on-the-fly 
prime generation cost is 0((log 5 n)/k 5 )). Had one used the non-optimal Akl- 
Taylor’s framework as put forth to the context of BE by [2,3,11], it would be 
0{n l / k logn) which is super-logarithmic (and the prime generation cost would 
be 0(n 1//fc log 5 n)). 

Instantiation 3 : (LSIC[log a n]) tacc . This scheme improves Gentry and Ramzan’s 
scheme [11], which itself is more efficient than the above schemes in the aspect 
of asymptotic computational cost. Our scheme reduces poly-logarithmic cost due 
to prime generation, which was the dominant cost, to only a constant one with- 
out affecting the other parameters. Among the constant-key- size schemes with 
header size 0(r log 0 (n/r) + r) and no extra non-secret storage, this is the first 
one in the literature that achieves 0(log n) overall computational cost. (And in 
fact, ours uses only a constant number of primes). The previous improvement 
for this class of schemes was done by [11] to improve [2] but only in the constant 
term involving a. (See Table 1). 

1.2 Other Related Works 

Very recently, Boneh et.al. [7] propose a public-key broadcast encryption scheme 
which achieves size 0(1) for both header and private key. However, the size of 
the public key to be used by an encrypter, which is also the non-secret storage 
needed for the decrypter, is O(n). Moreover, the computational cost is 0(n — r ) 
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(albeit with small coefficient). The second scheme in [7] reduces the non-secret 
storage size to 0(y/n) but with the price of the increased header size as 0(^/n), 
and not independent of n anymore. Boneh and Silverberg [6] show that n-linear 
maps can be used to construct an optimal public-key scheme with constant pri- 
vate key, public key, and header size. However, there are currently no known 
constructions for such a map for n > 2. Most recently, Jho et.al. [15] propose 
some efficient schemes with small header size when r is not too small. How- 
ever, their schemes do not enjoy practical asymptotic performances as either the 
header size is c\r + c^n = 0(n) (for some constant ci,C 2 ) or the key size is 
( n ^ 1 ) = 0(n k ) (where k > 2) for their best two schemes. 

2 Framework and Some Preliminaries 

2.1 Framework 

We refer to [18] for the definitions and the security notions for private-key broad- 
cast encryption. Now we recap the subset-cover framework [18] separately into 
two components as follows. 

Combinatorial Set System Component. We first redefine a set system 
which is useful for such a scheme in this framework called complement-cover set 
system. Such a set system is a family of subsets of a universe with the property 
that every subset of the universe can be efficiently partitioned to a union of some 
collection of subsets in the family. 

Definition 1. (Complement-Cover Set System). For a map c : Z> 0 — *• 
Z>o, aset systemS = {S\, ..., S m } over abase setN = {l,...,n} is c-complement- 
cover if there is a polynomial-time algorithm such that upon input any subset 
R C N, outputs {Si i: ..., Sjj} for some 1 < i\, ... ,i t < m such that N \ R = 
U * = 1 Sy and that t < c (n, |J?|). D 

As usual n, r is the number of all users and revoked users respectively. Such a 
c (n, r)- complement-cover set system yields a broadcast encryption scheme in the 
subset-cover framework with the header size c (n,r). The scheme is as follows. 
The broadcaster defines a subset key for each subset in the family. Each user 
stores a set of keys in such a way that he can derive all the keys of subsets (in 
the family) that he is a member. (Thus, the easiest way to do is to store them 
all. However to reduce the storage of keys, it would be better to store only some 
and derive the others from those stored keys on the fly. Such derivation patterns 
are predefined by the broadcaster.) To revoke the set R of users, the broadcaster 
just let a header to be a session key encrypted with each key of subsets in the 
partition of N \ R. Thus the header size is c(n, r). We often denote c x(n, r) for 
c (n,r) of the set system <Sx, where X is the name of that set system. 

Computational Key Derivation Component. We formalize the specifica- 
tion on key derivations in the context of access control scheme as the following. 
Denote by k(S') the subset key for S e S and p(«) the private key of u e N. 
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Informally, the security of such a scheme requires that with p(w), one can derive 
k(5) if and only if u £ S', moreover, the collusion N \ S cannot derive it. 

Definition 2 (Access Control Scheme, AC). . An Access Control Scheme 
AC for a set system S over a base set N is a 2-tuple of polynomial-time algorithms 
(Keygen, Derive), where: 

Keygen(lA): Takes as input a security parameter 1 A . It returns all k(S'j) ’s, all 
p(u) ’s, and public parameter pub. 

Derive((u, p(u)), Si, pub): Takes as input u £ N, the key p(rt), Si £ S, and pub. 

It returns k(S'j) if u £ Si, or special symbol _L otherwise. D 

Naor et al. [18] proved that BE in the subset-cover paradigm whose the access 
control component is secure in the sense of Key-Indistinguishability (KIND) is 
secure in the standard notion, namely IND-CCA1. Dodis and Katz [10] use the 
technique involving multiple encryption to obtain a generic scheme which is 
IND-CCA2-secure. Key-Intractability (KINT) can be defined analogously. These 
definitions are captured in the full version of this paper due to limited space 
here. Also note that there is a simple conversion from Kl NT-secure scheme to 
KIND-secure one. Thus KIND or KINT is sufficient for the security of the scheme. 

Denote (X) y to be the access control scheme for set system Sx that is con- 
structed via AC framework y. Denote KeySize( X )y(u) to be the number of keys of 
u (i.e., |p(u)|, when p(u) is treated as a set) and CompCost( X p to be the worst- 
case computational cost for Derive. We also refer (X) y as a BE scheme via the 
complement-cover set system <Sx- For any y, HeaderSize( X ) y (n, r) = c x (n, r). 


2.2 Some Terminology 

Viewing Set system as Poset. A set system is partially ordered by the 
inclusion relation (c). Interpreting a set system as a partially ordered set (poset) 
is useful when defining key derivations in AC. Intuitively, Derive algorithm implies 
that whenever Si C Sj, anyone who can access k(S' i ) is allowed to access k(Sj). 

Terminology for Posets, Graphs. The terminology for posets and graphs 
used in this paper is quite standard one (cf. [9]) (with some exceptions, see below). 
Here we review some. A graph is a pair G = ( V , E) of sets satisfying E C ())). V is 
the set of vertices (or nodes), usually denoted V (G), E is the set of edges, usually 
denoted E(G). Often, we abuse notation v £ G to mean v £ V(G). A tree is a 
connected acyclic graph. We often denote x = parent T (y) if a; is the parent of y 
in tree T. A directed graph is a pair G = ( V , E) of sets satisfying E C V x V, i.e., 
an edge is an ordered pair. A directed acyclic graph (DAG) is a directed graph 
with no directed cycle in it. A notation of chain x — ► y — > z means a directed 
graph which E = {x. y, z}, V = {(a:, y), (y, z)} and is generalized naturally. 

An inclusion poset S can be represented by a DAG G by setting V = S, 
E = {(S, S') : S C S'-, S,S' £ 5}. This is called the maximal representation, 
denoted DAG max (5). The minimal representation, denoted DAG m i n (5), is the one 
with E = {(£, S') : S C c S'-, S, S' £ 5} where we say S C c S' iff there is no 
S" £ S such that S C S" C S'. 
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Fig. 1. Toy example 1 and its graph decompositions 

In our context 1 , a graph decomposition (often denoted Q) of a poset S is 
a family of connected subgraphs whose sets of nodes partition the set of all 
nodes in the DAG max («S). (Thus we sometimes say Q is a graph decomposition of 
DAG max ( l S)). When each subgraph is a tree whose edges are directed away from 
the root, we call it a tree decomposition (often denoted T). When each graph is a 
directed chain whose edges are directed in the same direction, we call it a chain 
decomposition (often denoted C). An induced graph decomposition is one in 
which each subgraph is an induced subgraph. Fig.l shows graph decompositions 
of the set system for toy example 1, S to yl = {{1}, {2}, {3}, {4}, {1,2}, {2, 3}, 
{2,4}, {3,4}, {1, 2, 3}}. From now we abuse some notations, often in figures, 
e.g., writing 12 or 1,2 instead of {1,2} if it causes no confusion. Note that every 
chain decomposition is a tree decomposition. 

We will fix BT to be the complete binary tree of n leaves labeled 1 , . . . , n from 
left to right. The level of node in BT is the distance from root to it. For a fixed 
node, its left (resp., right) nodes are those nodes with the same level and appear 
on the left (resp., right). BT will be used only to help defining set systems and 
should not be confused with the graph representations of posets of set systems. 

3 New Set Systems 

3.1 Subset Incremental Chain (SIC) Set System 

The SIC Set System. For i,j £ N = {1, ...,n} and i < j, denote 

i^r-= WMM + i},- ■■,{<,. -J}}, 

and = (i-*— i) := {{}}}. Consider the binary tree BT. For a node v in BT, 

let l v (resp., r v ) be the leftmost (resp., rightmost) leaf under v. We define the 
set system SIC (of n users) by letting 

Ssic= U (ie+l-'-r^U (J (^r„-l)U(l^n)U(2^n), (1) 

-uEBTl hEBTr 

where BT|_ (resp., BTr) are the set of internal nodes which are left (resp., right) 
children. An informal visual view of Ssic is shown in Fig. 2, where the union of 
all the collections written there is the only important information. 

1 Our notions for tree and chain decompositions are not standard ones (cf.[9]). Instead 
the notions introduced here might be named as tree cover and path cover, resp. 
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Theorem 1. 5s ic is (2r)- complement- cover set system. 

Proof. We call a set of the form {i, i + 1, . . . , j} for some i < j a consecutive set. 
We first claim that any consecutive set, say A = {i,...,j}, can be partitioned to 
no more than 2 sets in <Ssic; then prove it as follows. Let a be the least common 
ancestor node of the leaves i and j in BT, denoted lca(i.j') = a. Let s be the 
least ancestor of a which is in BTl if a € BTr and which is in BTr if a € BTl. 
Let x, y be the left and right children of a. First if i = 1 then A £ (1 — ’■n) C 5 SIC ; 
else if j = n then A £ (2 -s— n) C <Ssic (since 2 < i). Now assume i ^ 1, j ^ n. 
We list all possible cases of ( i,j ) as follows. Let * be an unspecified value. 

1. If ( i = l a ;j = *; a £ BTl) then A £ (l s — *■ r s — 1) C 5 S ic (since i = l s -, j < 

r s — X; and s £ BTr), 

2. If (* = *;j = r a ; a £ BTr) then A £ (l s +l^r s ) C <Ssic (since j = r s ; l s + 1 < 

i; and s £ BT L ), 

3. If (• i = l a ;j ^ r a ;a£ BTr) then A £ (l a ^r a — 1) C <Ssic (since j <r a — 1), 

4. If ( i ^ l a ; j = r a ;a£ BT L ) then 4 6(!„ + lv- r a ) C <Ssic (since l a + 1 < i), 

5. If (i^l a -j^r a -,a£*) then A = P U Q; P = r*}, Q = {l y ,...,j}, 

and we have P, Q £ 5sic (since 

— lea (i,r x ) = x, thus ( i,r x ) will fall to the case 2 or 4 and P £ <Ssic; 

— lea (l y ,j) = y, thus (l y , j) will fall to the case 1 or 3 thus Q £ 5sic)- 

These proved the claim. Now we are back to the proof, it is obvious that N \ R 
can be partitioned to no more than r consecutive sets if 1 or n £ f?; or to no 
more than r + 1 such sets otherwise. In the former case, the partition size to sets 
in iSsic is < 2r; while in the latter case (where {1, ..., s} and {t, ..., n} for some 
s,t are included in the partition), it is < 1(1) + 2(r — 1) + 1(1) = 2 r. □ 

Intuitively, SIC has graph decompositions with good properties since each 
collection in the union of Eq.(l) forms a chain of subset. This will become clearer 
in the next section. The set system LSIC below generalizes SIC. 


3.2 Layered SIC (LSIC) Set Systems 

The LSIC[A:] Set System. We view BT consisting of subtrees (also binary and 
complete) of n^ k leaves so that there are exactly k layers of such subtrees, where 
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Fig. 3. Set system LSIC[fc], k = 2, as the union of all collections written at each node 

k\ logn. We will call such subtree an “atomic” subtree (to distinguish from other 
kinds of subtrees in BT). Informally, each atomic subtree contributes sets to 
iSlsic as in the SIC set system for that subtree, albeit each leaf in the subtree 
represents all the leaves under it in BT. More formally, for node 0 in BT, let 
A z '■= {Izjg + 1, (i.e., all the leaves under z). Let us consider the leaves 

u, v in an atomic subtree where v is some node on the right of u. We denote 
u (+1) , u(+ 2 ) (and so on) be the next one, two (and so on) right leaves to u in 
that atomic subtree. Denote analogously. Denote 

u^v := {A u , A u U Aut+p, . . .,4 U U---U4„}, 
u^v:= {A,, A v U A v (_i) , . . . , A v U • • • U A u j. 

Let l' w ,r' w be the leftmost and rightmost leaves under w in the atomic subtree 
and not w itself; for example, l' root = a, r / r00t = d and l' a = 1, r' a = 4 in Fig. 3. Let 
A be the set of all nodes which are the roots of atomic subtrees but excluding 
the root of BT. We define LSIC[fc] analogously to Eq.(l) by letting 

<s L s,c[ fc ]= U (C (+1) -ou u (C^: ( - i} ) 

veBT L UA vEBTrUA 

y (Z; oot r' root ) U ( l[ £t 13 v- r[ oot ) . (2) 

Intuitively, each v e A has two collections (Z(/ +1) - - r' v ), (l' v -^r^ -1 *) attached 
since it is the root of an atomic subtree, which SIC applies (cf. Eq.(l) and Fig. 2). 

Theorem 2. <S L sic[fc] * s (2 kr)- complement- cover set system for a constant k ; 
and <^i_sic[iog a n] O(r\og a (n/r) + r)-complement-cover set system for a constant 
a. 


Note that when k = log a n, from the former claim we already have that <SLSic[iog a n ] 
is (2r log a n)-complement-cover, but the claim above gives a sharper bound. 

Proof. First we will prove that 5|_sic[fc] (2fcr)-complement-cover. Let ST ^ de- 
note the Steiner tree of a set of leaves R C N, i.e., the subtree of BT that 
consists of all paths from the root to each leaf in R. We call a node v spe- 
cial if v G A. We “color” a node if it is special but is not in ST R and all of 
its special ancestors are in ST fl . Denote C the set of all color nodes. Hence 
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N \ R = Uuec Aj = U J= i \JveL -nc A v where we denote Lj to be the set 
of all special nodes in the j-th special layer away from root (i.e., at distance 
j (log n)/k from the root). It suffices to prove that for each special layer j, the 
set Yj := U-oeL nc can be partitioned to at most 2 r sets in the family iSlsic- 
Denote Xi to be the number of uncolored special nodes in the i-th atomic sub- 
trees from left to right in this j-th layer. From Theorem 1, it is easy to deduce 

that Yj can be partitioned to at most 2(xi + x^ H + x p ) sets in 5lsic- where 

p is the last atomic subtree in this layer (in fact, p = ««-*)/&). But we have 
xi + • • • + x p < r since the Steiner tree of r leaves passes through all these 
uncolored special nodes. This proves the claim. 

Next we will prove that <S|_sic[iog a n] is 0(r log a (n/r) + r)-complement-cover. 
We first give the definition of Stratified Subset-Difference set system with each 
atomic subtree of a leaves (SSD a ): 5 ssd„ = A, : u is an ancestor of v in the 
same atomic subtree}. It is known [11] that >SssD a is (0(r log a (n/r)+r))-comple- 
ment-cover. Using a similar approach as when proving Theorem 1, it is not hard 
to see that each A u \ A v can be partitioned to at most 2 sets in <S|_sic[iog a n] ■ (The 
proof is omitted here due to space). Combining these we have that LSIC[log a n) 
has c LS ic[iog a n] (n, r) = 2c S sd„ ( n , r) = 0(r log a (n/r) +r). □ 


4 Key Derivation Based on PRSG 

4.1 Reformalize the PRSG Based Framework of [4] 

Framework Idea (review). In this framework, we use pseudo-random sequence 
generators to derive keys from one subset to another. The correctness of access 
control schemes allows this to be done only if the first set is included in the latter 
(e.g.,{l} C {1, 2}). Thus such derivations can be defined in correspondence with 
directed edges in a graph decomposition of DAG max (iS), in which all the inclusion 
relations in S are included. One exception is that there should be no node with 
indegree > 1 in any graph in the decomposition since it would imply a collision 
of PRSG, which should be computable by neither broadcasters nor adversaries. 
Therefore, all the valid decompositions are tree decompositions, of which the 
class includes all graph decompositions of the poset that allow indegree < 1 for 
all nodes. Each user then stores keys for subsets which he is in and are closest 
to the root of that tree. For the toy example 1 in Fig.l, our paradigm with the 
tree decomposition in the figure namely T toyl allows the user 2 to store only the 
keys at 2, 24. 

Note that in order to be provably secure in the KIND sense, it is mandatory 
to make an adaptation so that keys are not derived from another key directly. 
Instead, one should use intermediate keys denoted 1(5) for S e <S; how to use 
this is explained in the construction. This was neglected in many recent schemes 
that use similar one-way derivation approaches. 

The Construction (X) prsg . This is based solely on a tree decomposition, say 
T, of the poset Sx- The scheme applies to an arbitrary complement-cover set 
system X. 
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Keygen : (Subset keys) At a root S' of a tree in T, let t(S) <— {0, 1}\ For 
each node S (either root or non-root of a tree in T) whose all children are 
Sjj, S id where d is the outdegree of S, we define the following recurrence 
relation: 


t(^ 1 )||---||t(S i J||k(S)^PRSG d+1 (t(S)) 1 


(3) 


where |t = ■■■= |t(S id )| = |k(S)| = A bits; PRSGj : {0, 1} A ^ {0, lp A . 
(User keys) For u £ N, we define p(u) = {t(S)\u £S;u? parent a (S),G £ T}. 
Derive : Find the tree where S is in and then use Eq.(3) to derive k(S). 

Characterizing Efficiency. Let RNr(u) = |{S | u £ S; u 0 parent G (S), G £ 
T} | and call it the reachability number of u in T (since it is the minimal number of 
sufficient nodes such that when traversing from these nodes in the edge direction 
we meet all S £ S such that u £ S). Let DDr = the depth of the deepest trees. 
We have 


KeySize( X )pr Sg (u) = RNr(u), CompCost^prsg = DDr- 


Theorem 3. ([4]) (X) prsg is secure in the sense of KIND assuming secure PRSG. 
4.2 PRSG Based Instantiation for SIC, LSIC 

Instantiating SIC. It suffices to define a tree decomposition of 5sic and the 
concrete scheme will follow automatically from the general construction of the 
framework. We choose the following natural one and prove that it is the optimal 
decomposition for SIC. For i < j £ N, define a graph G (i «* j) as {/<} — > 
{M + 1} -► + G(f i— j) as {j} ->■ -> * Let 

T S ic = {G(4ibl^r„)i» G BT L }U{G(Z„-r w -l)|u G BT R }U{G(l-n), G(2^n)} 


Let ( x ) denotes the binary representation of x. We have the following theorem. 

Theorem 4. The tree decomposition 7s ic yields minimal max„ 6 jv RNr ('«), in- 
deed we have 



where f(y) := the number of the same consecutive least significant bits of y. In 
particular, max„ e ^ RNr slc ('«) = logn+ 1. We also have DDr slc = n. 

Proof. We define F v = l v + 1 r v if v £ BT L and l v — >■ r v — 1 if v £ BTr. 7sic is 
really a tree decomposition since : v £ BT |_ U BT R } U {(1 — ^n), (2 t— n)} can 
be proved to be a pairwise non- intersecting family (somewhat straightforwardly). 
Next we prove the formula for RNr slc (w). For u £ N \ {1}, only possible trees 
in 7sic that u appears are those graphs G(F„) for internal nodes v on the path 
from the leaf u to the root in BT, and G(l^n),G(2^n). Each graph G(-) that 
u appears contribute one key for u. Thus RNr S | C (u) is at most (log n — 1) + 2. Let 
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u,wi, ...,wi ogn , root be the nodes on that path. Due to symmetry, we assume 
w.l.o.g. that wi, ...,w z -i G BT L and w z G BTr. Now it is easy to see that 

for 1 < j < z — 1 : G (F Wj ) = G (l Wj + 1 v- r Wj ) does not contain u(= l Wj ); 
for j = z : G(F WJ ) = G (l Wz -^r Wz — 1) contains u(= l Wz )\ 

for z < j < log n : G (F Wj ) contains u (since l Wj < u < r Wj ) , 

and that z = f((u — 1)). Thus RNr slc (w) = (logn — 1) + 2 — ( f((u - 1}) — 1) as 
desired. Now we prove that 7s ic is optimal (obtaining minimal (max ue ,y RNr(«)) 
among all T of SIC). Observe that for all T of SIC, YlueN RNr (u) = Ylses s , c : 
u G S,u £ parent G (S'), GsT}| > ]5sic| = nlogn+ 1. Hence max u£ jv RNr(u) > 
j- niogw+i -j = l 0 g n 4- 1 . Our decomposition matches this bound. □ 

The number of keys at each user is not uniform as recorded in the corol- 
lary below. While sharing some similarities with our scheme, the basic schemes 
in [12,20] assign one-way chains in both left and right directions at each node 
in BT while we use only one direction and exploit some symmetries. This can 
be an intuition as to why we can reduce key size at least 2 times (and up to 
logn in the best case, user 1). Those schemes can be considered as instantia- 
tions in our framework, but with storage-redundancies in the sense that the set 
systems extracted from their schemes are sets with repetition. Moreover, the 
scheme of [12] can also be shown to be derivation-redundant since its derivation 
graph as exposed in our framework contains loop edges. (See our full paper). 
Corollary 5. In the scheme (SIC) prsg , there are exactly 2 X users who store ex- 
actly x + 2 keys for 0 < x < (log n) — 1 and exactly 1 user who stores 1 key. 

Instantiating LSIC. Before describing our default tree decomposition of iSlsiCj 
denoted 'TUsicffc] 5 we first describe a more straightforward one, denoted 7[[ S |q fc j, 
which is constructed, informally, as the union of all 7sic applied to each atomic 
subtree in BT. More formally, we can define G(u v) for u, v which are leaves 
in the same atomic subtree, analogously as before, by letting G (u—^v) = A u 
A u U A u (+i) (A u U • • • U A v ), and analogously for G(it v- v). Without 

going into details, we can define from Eq.(2) in an analogous way when 

we defined 7sic in Eq.(5) from Eq.(l). 

Now 7j[ S | C [ fc ] is constructed by an observation that G(l' v — and G(v *) 
can be combined into one chain (and in particular, one tree) since the maximum 
element in the former, A;/ U- • • UA /(-p , is included in A„ , the minimum element 
of the latter. For v G BTr U {root}, let wi, .... w rn be the sequence of nodes in 
BTl D A such that w\ = /{; for 1 < i < m — 1, Wi+i = l' Wi ; and l v = l' w , then 
define G(l' v x) := G(l' Wm - 4" 1} ) G(C 1 ^ r^) -► G{V v - x) 

where x is some right node of l' v . (Here, means to connect the chains). The 
definition for G (xT—r' v ) for v G BTl U {root} can be done analogously. Now we 
define 

Tlsicm = {G(z;( +1 )^r;)]u G BT L }U{G(/;-r{(- 1 ))|u G BTr} 

U{G(Z; oot -r( oot ),G(f , i+ 1) -r( oot )}. (6) 
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Fig. 4. The tree decomposition 7Isic[fe] of the set system LSIC[fc] (see Fig. 3). A more 
simple decomposition is the one without the thick red edges. 

The abstraction of this decomposition may disguise the simplicity of the scheme; 
in Fig.4 we thus give an explicit example when n = 16 and k = 2 (cf. Fig.3). 

The following theorem and corollary can be proved by an elementary counting 
argument based on Theorem 4. We omit the proof to the full version of this paper. 


Theorem 6. The tree decomposition 'TLsicffe] yields 

rn t lsicw (u) = logn + 1 + k - g k ((u - 1}) 

where g k ((x)) ■= /(0| |(a:i)) + /(61 1 1 <ic 2 )) H f(b k -i\\{x k }) where we parse { x ), 

with padding of Os on the left so to have length logn bits, as (a:i} 1 1 • • ■ 1 1 (£Cfe) so 
that each {xf) has length (log n)/k bits; bj is the least significant bit of (xj). In 
particular, ma x ue jv RNr LSIC[fc] (w) = logn+ 1. We also have DDr LSIC[fc] = kn 1//fe . 

As an example, user 4 will store 2 keys: k(1234),k(4) (see Fig.4). This can be 
calculated as |p(4)| = 4+1 + 2- (/(0||00) + /(0||11)) = 2 (Note (4-1) = 0011). 


Corollary 7. In (LSIC[k]) prsg , exactly ^*=0 (j)^( x ~ l>i> (logn)/k)2 x 1 j users 
store exactly x keys for 2 < x < (log n) + 1 and exactly 1 user stores 1 key where 
C(a,b,c) is the number of integer compositions (ordered partitions) of a into b 
positive integers, each < c? 

5 Key Derivation Based on Non-trapdoor RSA 

5.1 The New Non-trapdoor RSA Based Framework 

Framework Idea. We first briefly review the access control scheme of Akl- 
Taylor [1]. There, each S e S is assigned a publicly known prime. The key 
of S is defined as k(5) = sHmai’ 1 ’ 1 ' modulo an RSA modulus, where s is a 
secret; and S -f* T means (S,T) is not an edge in DAG max (»S). Each user u just 
stores k({n}). The terms in the exponents are arranged so that even any collusion 
cannot compute keys that are not supposed to be computable by them. However, 
the number of primes used in the above schemes are too large as |S|. Such 

2 For example C(5, 3, 2) =3 since 5 = l + 2 + 2 = 2 + l + 2 = 2 + 2 + l. The exact 
formula of C(a,b,c) is quite complicated and is shown in [19]. 
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primes will be stored as non-secret storage or derived on-the-fly. 3 We propose a 
new paradigm which makes uses of prime powers so that the number of primes 
used becomes optimal. We will see shortly that assigning prime powers depends 
essentially on a chain decomposition of DAG max (5). Indeed, the number of primes 
used will be exactly the number of chains; and each node in the same chain will 
correspond to the same prime but with a distinct power. For the toy example 
1 in Fig.l, our new paradigm with the chain decomposition C toy i will result in 
only 5 primes used while the Akl-taylor’s needs 9 primes. We will describe how 
to assign those powers over primes by an incidence matrix. We formalize the 
notion of incidence matrices that admit a secure scheme as maximin matrix: 

Maximin Matrix. An nxm matrix {a, 3 -} where a t j G Z>o is called a maximin 
matrix for set system X if for all S G Sx, there exists j: 1 < j < m such that 
| max, e s' aij < min ieN ^s aij. | We give a formal treatment of RSA functions as 
accumulators and our construction first, then explain later. 

RSA Accumulators. We fix a function f : Uf X Ef — » Uf to be an RSA 
function: f(:r, e) := x e mod r] where r) = pq,p = 2p' + 1, q = 2q' + 1 and p, q,p q' 
are distinct odd primes. We restrict that Uf is the set of quadratic residues and 
Ef is the set of primes not equal to p',q'. We say f is generated from an RSA 
function generator Grsa( 1 a )- The function f is an instance of RSA accumulators, 
first proposed in [5], which has a quasi-commutative property: for all x G Uf, 
and ei,e 2 G Ef, f (f (re, ei), e 2 ) = f(f(x, e 2 ), ei). If E = {e\ , ..., e^.} where each 
ej G Ef, then we denote f(x,E) := f (f (...f (a;, ei), ...), e/j). Note that a set E is 
threaten as a multi-set, where the repetition of members is important. We thus 
denote a repetition of a member e which occurs t e times as t e < e. For example, 
f(:r, {s < ei,i < e 2 }) = x^' e2 \ 

The Construction (X) acc . 

Keygen : Run a Grsa to obtain a description of f : Uf x Ef — > Uf. Pick a random 
secret s G Uf. For 1 < j < m, pick an element pj G Ef. Let pub consist of all 
Pj’s and {tty}: indeed we let user derive prime pj only when necessary by 
predetermining the intervals of those primes (see below). Let 

p(u) = f(s, { a uj <Pj:l<j< to}), m 

k(S) = f(s, {(maxj e s a*,*) < Pj : 1 < j < to}). 

for user u G N and set S G Sx- 

Derive : Compute k(5) = f(p(u), {(max^s — a u j ) <pj : 1 < j < to}). 
Theorem 8. (X) acc is KINT-secure assuming the strong RSA assumption. 

First it is easy to see that the correctness holds: Derive is computable. Next 
we will give an intuition as to why for each S G <S, the collusion of all users 

3 In the latter, a sequence of integers {xj} is pre-specified by the broadcaster and 
Pi is defined to be the first prime in [a;i,a;i+i); the program to recognize {a:,} has 
negligible size (cf. [2]). More primes imply more computational cost on-the-fly. 
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from N \ S cannot compute the key of S. Informally, the best they can do is to 
obtain the value with the same base s and the exponent term being GCD of all 
the exponent terms of the keys for users in N \ S, which is YTjLi p r . un, ' €N '~ s 0,3 
(by the well-known trick involving using the extended Euclid’s algorithm). To 
be able to compute the key of S, it must divide IdyLi p’ riax,es . But this will 
not happen due to the property of the maximin matrix. 

Constructing a Maximin Matrix. Consider a chain decomposition C = 
{Gi, of <Sx- For each chain Gj : Si — > • • • — > Si, construct j-th col- 
umn by letting roifiesx 

Oij := l w if i e S w+1 \ S w (8) 

[ l otherwise 

Proposition 9. The above construction is a maximin matrix. Moreover, C with 
the minimum number of chains will imply the maximin matrix with the minimum 
m, the number of all primes used. 

Proof. We will prove that the construction by Eq. (8) is a maximin matrix for X. 
Consider arbitrary S £ S, observe that there is a chain Gj : Si —►•••—> Si and 
some w, 0 < w < l — 1, such that S = S w + 1 (since C is a chain decomposition). 
For all i 6 S we have 0 < ay < vj by the construction. For all i 1 £ N \ S we have 
w > ai’j also by the construction. This implies maxjgs ay < w < min j'gjvxs a^j 
which is what we wanted to prove. To prove the second claim, it is sufficient to 
prove the converse of the first claim: from any maximin matrix for X one can 
construct a a chain decomposition in which the number of chains is less than or 
equal to the number of columns of the matrix. The proof idea is essentially the 
same as the first, thus we omit the detail to the full version of this paper. □ 

Characterizing Efficiency. We will generate primes on the fly using the tech- 
nique in [2] (cf. footnote 3). Without going into detail, this technique requires 
computational cost 0( log 4 P) to generate one prime, and produces each prime 
of size 0(P log P), where P is the number of all primes needed in such a scheme. 
In our scheme, P = m. Note that only when P = 0(1), it is worthless to use 
this technique; we just store the least P primes (which requires only negligible 
storage) so the cost for prime generation in this case is 0(1). 

Using the notation defined earlier, we have that RNc(u) represents the num- 
ber of chains in C that u appears; and DDc represents the length of the longest 
chain in C. The number of all chains in C is \C\ (and= m). We obtain: 

KeySizepq aC c(u) = 1, CompCost^)^ = 0(MQ cc + PQ CC ), 

where MQ cc (w), PQ CC («) are the cost due to Modular exponentiation and on- 
the-fly Prime generation for user u respectively and MQ CC := max„ e jv MC)) cc (u), 
PQ CC := max-ugiv PQ cc (u). Such costs depend solely on C and can be character- 
ized as: 


MQ cc (u) = 0(DD c • (log \C\) ■ RN c (u)), PQ cc (a) = 0((log 4 | C\) ■ RN C («)). 


Graph-Decomposition-Based Frameworks 115 


The analysis are as follows. The cost of modular exponentiation for computing 
Derive is logarithm in the exponent term which is YYJLi p( max ‘‘ es ^ . To 

determine its complexity, observe that max ie s aij = a u j for all but only RNc(u) 
terms of j due to Eq.(8) and the fact that u appears only RNc(u) chains. Also, 
observe that max l6 s ay — a u j < DDc due to Eq.(8). Each pj is 0(m log to), 
hence has bit length O(logm). Combining these, we get MQ cc (u) as above. The 
cost for prime-generation above follows from the fact that the number of primes 
to be generated when deriving keys are RNe(it). 

Remark 1. The MC of our scheme is asymptotically optimal among all non- 
trapdoor RSA-accumulator based paradigms (if there are any others) since it 
matches the lower bound in [11], which states that the optimal MC is of the 
same order as the number of subsets (in the set system) that one user is in, 
albeit here we calculate in bit complexity which includes the size of primes. 

Remark 2. The Akl- Taylor’s scheme [1] is a special case of our framework where 
the trivial chain decomposition (the collection of all one-node chains) is used. 

5.2 Non-trapdoor RSA Based Instantiation for SIC, LSIC 

Instantiating SIC, LSIC. We will state the result for LSIC so that the result for 
SIC can be obtained by setting k = 1. It suffices to define a chain decomposition 
of 5|_sic[fc] and the concrete scheme will follow automatically. We choose a chain 
decomposition C|_sic[fc] = ^LSic[fc] defined in Eq.(6). (Note that it is obvious that 
^Lsic[fc] was also a chain decomposition). A concrete example for (SIC) acc is shown 
in Fig.5 for n = 8. As an example, the subset key k(567) = s^ p I pIpIpIpIpIpIpI) . 

The following result follows directly from Theorem 4, 6 and the generic effi- 
ciency characterization of the framework with the fact that |C|_sic[fc] I = n - 

Corollary 10. MCe L (; ic[fc] = 0(kn l > k log 2 n) and PQ“ cw = 0(log 5 n). 

Scheme (LSIC[fc]) acc has computational cost 0(max{fcn 1 ' /,;; log 2 n, log 5 n}). For 
trillion users (n = 10 12 ), choose k as low as 4 we have An}/ 4 log 2 n < log 5 n so 
that the computational cost is dominant by the latter, which is roughly as in 
Asano’s scheme (but ours enjoy exceptionally lower header size). 
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Fig. 5. Instantiating SIC (n = 8) by the non-trapdoor RSA accumulator based frame- 
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Remark 3. If we instantiate with with Akl- Taylor’s, its chain decomposition 
has max ue jv h u = 0(n l / k log n), and m = 0( 2 k ■ n 1/,k (log n)/k). Thus PC = 
0(n l / k log 5 (n)), which is much worse than ours, 0(log 5 n). Moreover, this cost 
always dominates over the optimal MC for LSIC, 0(n 1//fc log 2 n). 

6 Key Derivation Based on Trapdoor RSA Accumulator 

6.1 The New Trapdoor RSA Based Framework 

Framework Idea. The framework in this section is applicable to a class of 
posets that we call tree-stratifiable posets. Informally, such a poset of this type 
is defined as one which can be considered as formed by a tree hierarchy of 
atomic posets (not necessarily homogeneous), as shown in Fig. 6. There, the graph 
decomposition Q = {G x ,G y ,G z , ...} is said to form a hierarchy represented by 
tree H where V(H) = {x,y,z,...}. Intuitively, such a graph decomposition is 
said to form a hierarchy if all the inclusion relations from every node in a lower 
subgraph (one with a lower index in the hierarchy), say G y in the figure, to the 
next upper one in the hierarchy, G x , are via a unique minimal node in that upper 
subgraph. Denote this minimal node as Mc y - We will put a “dummy node” in 
each subgraph so that it will be the “representative” of that poset to reach that 
unique minimal node in the upper poset. (In the figure, the dummy node is Dq v 
for subgraph G y to reach Ma y ). 

The idea for key derivations are as follows. First we define the key for each 
node in the highest sub-poset in the hierarchy by using the RSA-based framework 
in the last section. Recursively in a top-down fashion, we will define the set of 
keys corresponding to each lower sub-poset in the hierarchy. At some point, 
the set of keys for the nodes in G x are defined. Then we define the “dummy 
key” for the dummy node in a next lower level sub-poset by applying a random 
permutation perm (w.l.o.g we will use the reverse direction) to the key of the 
minimal element in that upper sub-poset that it connects, that is, I<(Dg v ) = 
perm _1 (k(MG„)). To define keys for the other nodes in this lower sub-poset (at 
G y ), we will again use the RSA-based framework for that sub-poset. However, 
this time the key for the dummy node has been already determined, while all 
the keys must agree with the relations of ( G' y ) 3CC , where G’ y is the modified 



Fig. 6. The underlying idea for the trapdoor RSA based framework 
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subgraph that includes the dummy node, i.e., the relation of keys as defined in 
Eq.(7) instantiated to a poset that has G' y as its representation. To solve this, it 
suffices to use the trapdoor of RSA. In this way, we can define keys recursively 
until reaching the lowest sub-posets. Users, on the other hand, do not have to 
use trapdoor since they only compute keys in the bottom-up fashion. Note that 
(perm, perm -1 ) is a public permutation, such as any block cipher with a fixed 
known key. We will model perm as an ideal random permutation in the security 
proof (the random permuation model) . 

The idea of reducing the whole poset by instantiating RSA-based framework 
in each sub-poset results in the use of only small number of primes for the overall 
scheme since the same set of primes can be used across different instantiations 
for different sub-posets. 

To formalize this, we first define some more notations. For a directed graph G, 
denote U m in(G) the set of all minimal elements of poset S such that DAG m i n (5) = 
G. V^a X (G) is defined analogously. The definition below captures what we have 
explained in the framework idea. Essentially, the bijection n below maps G x i— > x. 

Definition 3. (Tree-Stratifiable Poset) An inclusion poset S is called 
tree-stratifiable poset iff there exist an induced graph decomposition Q of S and 
a tree H with a bijection n : Q — > V (H) such that for each G £ Q if we define G' 
by letting V(G') = V(G) U {D G } and E(G') = E(G) U {(5, D G ) : S G U max (G)} 
where D G is a dummy node; define M G := Usev max (G) an d define a graph 
W by letting U(W) = \J Geg V(G') and E(W) = Jeep ( E (G) U {(D G , M a )}), 
then we have that (1) for all G £ G, M G £ U m i n (7r -1 (parent H (7r(G ! )))) and (2) 
E( DAG min (<S)) C E(DAG max (W)). iP 

Trapdoor RSA Accumulators. A trapdoor RSA function generator G t RSA is 
the one that works exactly the same as Grsa but in addition also outputs the 
trapdoor td which is 4>(rf) where <j> is the Euler’s phi function. With td, given the 
description of f, any y £ Uf, and a (multi-)set of accumulated values E, one can 
efficiently compute x £ Uf such that f(x, E ) = y. Denote such x by f t d(y, U -1 ). 

Towards formalizing the construction, we “normalize” each sub-poset G £ Q 
so that its base set will be B G = {1, .... |V' min (G , )|} as follows. Construct 7 : 
V(G') — > 2 Ba by first picking an injective map 7 : V m \n{G) — > B G then define 
for S G V(G'), 7 : S {7 (U) : U £ V min (G), U C S}. Let S G = 7 (V(G')) (the 
set of all images by 7 from V(G')) be the set system with the base set B G . 

The Construction (X) tacc . For simplicity we will consider homogeneously 
stratifiable poset, i.e., each S G is isomorphic to each other (in the sense that its 
corresponding DAG is isomorphic), say the set system Y. Let 
be a maximin matrix for set system Y, where d is the cardinality of its base set. 

Keygen : Run a G t RSA to obtain a description of f : Uf x Ef — ► Uf and trapdoor 
td. For 1 < j < m, pick an element pj £ Ef. Let perm and perm -1 be a 
publicly available permutation mapping Uf — ► Uf. Let pub consist of all p/s 


118 N. Attrapadung and H. Imai 


and {dij}. Pick a random t G Uf. Define keys recursively in a top-down 
fashion in the tree H: 

[Top]. At the subgraph G roo t G Q, where root is the root of H, by definition 
we have N = Mc raal - We let k(iV) = k (M Groot ) = t. 

[Intermediate]. At each atomic subgraph Gg G, the key k (Mg) is previously 
determined. Define the key for the dummy node: k (D G ) = perm _1 (k(Mc))- 
By using the trapdoor td and k (D G ), we solve Eq.(ll) by setting S = Dq 
(thus 7 (S) = Bq) to determine the secret s G > he., 

so = ftd(k(D G ),{(maxa i: ,) < Pj : 1 <j < m} _1 ). (9) 

i£B a 

Then we define the key at each element in this subgraph, S G V (G), by: 

k (S) = f(s G , {a^j < Pj :l <j< m}) (for S G V min (G)), (10) 

k(5) = f(s G , {( max a ij) < pj : 1 < j < m}) (for S G V(G)). (11) 

ie-rOS) 

[Bottom]. For each u G IV, we let p(u) = k({u}). 

Derive : Compute from the relations given in Eq.(9),(10),(ll) but in the bottom- 
up fashion by using applications of f(-, -), perm(-) starting from f(p(u), ■). 
Note that td is not required to do this. 

Theorem 11. (X) tacc is KINT-secure in the random permutation model (perm 
as an ideal random permutation), assuming the strong RSA assumption. 

Characterizing Efficiency. If the set system X of n users is tree-stratifiable 
homogeneously into a set system Y of d users with the tree H then 

KeySize (X )Kc(u) = 1, CompCost (X )«cc = 0(MCx cc + PCx CC ), 

where the cost from modular exponentiation and prime generation are depended 
solely on both H, Y and only Y respectively, and can be characterized as: 

Mcr = h w • MQ c ;, per = PCS', (12) 

where is the deepest depth of 7t. The first claim follows from the fact that 
a user has to compute Eq.(ll) for at most times. The second claim is from 
the fact that we reuse the same set of primes across sub-posets. There is also 
the cost due to applications of perm, which is O(h^), but this is suppressed by 
MC. 

Generic Application. We now confine our interest to the case where H is the 
balanced completed n 1 ^- ary tree of depth = k. This forces the base sets of 
Y and X to have cardinality n 1/,fc and n respectively. In this case we say X = 
hierfc(Y). The operation h ier fc is well-defined and can be thought as the converse 
direction of tree-stratification; thus, from any poset Z one can construct a tree- 
stratifiable poset, namely hier fc (Z), by first scaling down the cardinality of the 
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base set of Z to n 1//fc . (Since usually any set system is originally defined in term of 
n). We write Z (n 1//fc ) to emphasize the cardinality of base set. The point is that 
when k is a constant, Eq.(12) allows one to construct a full scheme of n users but 
with exactly the same asymptotic performances as those of (Z(n 1/,fe )) acc , which is 
a “scaled-down” scheme, in both parameters MC, PC! Moreover, if cz(„)(n, r) = 
O(r) then we can show that c h ; erfc ( Z ( n i/*q)(n,r) = O(kr) = 0(r ) (by exactly the 
same proof as that of Theorem 2); therefore, HeaderSize is also unaffected. 

6.2 Trapdoor RSA Based Instantiation for LSIC 

It is easy to see that LSIC[/c] is tree-stratifiable since LSIC[fc] = hierfc(SIC(n 1//fc )). 
(We could have define LSIC via hier operation rather than directly in Sec.3.2). 
An example is shown in Fig. 7. From the efficiency characterization we have: 
Corollary 12. (i) MCg^] = 0(n 1 / fc (log 2 n)/k), PC^^ = 0((log 5 n)/k 5 ). 
(ii) MC^qio^ n ] = 0(a log a log n), PC t L a s C |qi ogo n ] = 0(1). 

Proof. See that MQ CC =0((n 1//fc log 2 n)/k 2 ), PQ CC i/fc = 0((log 5 n)/k 5 )-, 
and = 0(alog 2 a), P'Q^. = 0(1). (In fact, for the case SIC(a), the 

maximum number of primes used per user is log a + 1, a small constant). □ 

7 Concluding Remarks 

We presented three generic frameworks for constructing broadcast encryption 
and give some efficient instantiations. Almost all subset-cover broadcast en- 
cryption schemes based on PRSG (or one-way function) or RSA accumulator 
in the literature can be rewritten as instantiations in our paradigms. In fact, 
[18,14,17,4,12,20,15] can be viewed as PRSG-instantiated schemes and [2,3,11] 
are non-trapdoor-RSA-instantiated schemes from our frameworks. 

The whole paradigm abstracts away the computational security issues and 
reduces the problem to only pure combinatorics. We leave as an open problem 
the question of showing any combinatorial bound from the efficiency charac- 
terization in each sub-framework. Note that the previous bounds for broadcast 
encryption [16] are done in the setting where no key derivation is involved. 
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Abstract. A two-argument function is computed privately by two par- 
ties if after the computation, no party should know anything about the 
other inputs except for what he is able to deduce from his own input 
and the function value. In [1] Bar- Yehuda, Chor, Kushilevitz, and Orl- 
itsky give a complete characterisation of two-argument functions which 
can be computed privately (in the information-theoretical sense) in the 
Honest-But-Curious model and study protocols for “non-private” func- 
tions revealing as little information about the inputs as possible. The 
authors define a measure which determines for any function / the ad- 
ditional information £(/) required for computing / and claim that / 
is privately-computable if and only if £ (/) = 0. In our paper we show 
that the characterisation is false: we give a privately-computable func- 
tion / with £(f) A 0 and another function g with £(g) = 0 that is not 
privately-computable. Moreover, we show some rather unexpected and 
strange properties of the measure for additional information given by 
Bar- Yehuda et al. and we introduce an alternative measure. We show 
that for this new measure the minimal leakage of information of ran- 
domized and deterministic protocols are equal. Finally, we present some 
general relations between the information gain of an optimal protocol 
and the communication complexity of a function. 


1 Introduction 

We investigate computations of functions of two n-bit inputs x and y by two 
players Alice holding x and Bob having y. For a given function / Alice (A) and 
Bob ( B ), both with unlimited computational power, communicate to determine 
f(x,y) keeping as much of its input secret from the other party as possible. 
In this setting two models are considered in the literature. In the first one we 
assume that the players are honest but curious, that means they never deviate 
from the given protocol but try to acquire knowledge about the input bits of the 
other player only by observing the communication. In the second setting Alice 
or Bob can be malicious, i.e. they can cheat. In this paper we study privacy in 
the Honest-But-Curious setting. 
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Private computation was introduced by Yao [8] . He considered the problem 
under cryptographic assumptions. Private computation in the information-the- 
oretical secure setting has been introduced by Ben-Or et al. [3] and Chaum et 
al. [5]. Ben-Or et al. have presented a function that is not privately computable. 
A complete characterisation of such functions has been given independently by 
Kushilevitz [6] and Beaver [2] . This characterisation has been given by using so 
called forbidden submatrices. Let M be a matrix. We say that two row indices 
i and j are related (i ~ j) if there is a column k for which Mi,k = Mj,k- For 
example, the row indices of matrix T shown below are related while the rows of 
matrix T' are not related. 


(1) 


We define the equivalence relation = to be the transitive closure of ~. In a 
similar way, we define the relations ~ and = on the columns of M. A matrix 
is forbidden if it is not monochromatic (i.e. not all elements of the matrix are 
the same), all its rows are equivalent with respect to = on rows, and all its 
columns are equivalent with respect to = on columns. Matrix T defined in (1) is 
a small example of a forbidden matrix and T' is an example for a not forbidden 
matrix. Privately-computable functions can be characterised as follows. Let Mf 
denote the communication matrix for the function /, i.e. an 2 n x 2” matrix such 
that rows and columns are indexed by n-bit inputs and for every x, y g {0, 1}” 
we have (Mf) XtV = f(x,y). For example T and T' in (1) are communication 
matrices of the two argument Boolean functions AND and XOR, respectively. 

Theorem 1 ([6,2]). In the Honest- But- Curious model a two-argument function 
f can be computed privately if and only if Mf does not contain any forbidden 
submatrix. 

Using this characterisation one can see that the majority of functions can- 
not be computed privately. For such functions it is natural to study the mini- 
mum amount of information about the individual inputs that must leak during 
their computation. There are several ways to quantify such a leakage. In [1] 
Bar- Yehuda et al. introduced three measures: a combinatorial measure T c , an 
information-theoretic measure 1\. and a measure I r .\ that includes both combi- 
natorial and information-theoretic aspects. For the measures they proved general 
tight bounds on minimum amount of information about the inputs that must be 
revealed in a computation. Moreover, they showed that sacrificing some privacy 
can reduce the number of messages required during the computation. 

In [1] the authors define for any function / the additional information £(/) 
required for computing / as a difference between X c (/) and log 2 | range(/)|, where 
|range(/)| denotes the cardinality of the range of function /. They claim that 
/ is privately-computable if and only if £(/) = 0. In our paper we show that 
the characterisation is false. We construct a privately-computable function / 
with £(/) ^ 0. Moreover we show that for the function f m in(x,y) = min{x, y}, 
where x and y are interpreted as integers from ( 0 , 1, . . . , 2 n — 1}, it holds that 
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£{fmin) = 0. On the other hand, f min cannot be computed privately since the 
communication matrix of f m i n : 


M fmin 


'0 0 0 0 ... 0 

0 111 ... 1 

0 12 2 ... 2 


contains a forbidden submatrix. In fact, Mf min is not monochromatic and for 
every x < 2 n — 1 we have f m in(x, x) = f m in(x + 1, x) = f m in(x, x + 1) = x and 
fmin{x + l,x + 1) = x + 1 what implies that all its rows (columns, resp.) are in 
the same equivalence class. 

We show also some rather strange properties of the measures for revealed 
information T c , T;, and T c _;. For example, we show that X C (AND) = 2c(X0R): 
the revealed information required for computing AND is the same as for X0R 
contradictory to the fact that X0R can be computed privately but AND cannot. 
The similar property holds for the remaining measures as well. 

Furthermore, we introduce an alternative measure for the minimum revealed 
information, which is based on the information source defined in [4]. The revealed 
information of a protocol to a player is merely the logarithm of the number of 
different probability distributions on the communication strings a player can 
observe. For this measure we will show that / is a privately computable function 
if and only if the amount of the minimum revealed information is zero. We give 
some tight bounds of concrete functions and show a general lower bound for 
arbitrary two n-bit inputs functions. 

We show that for our measure the minimal leakage of information for ran- 
domized and deterministic protocols are equal. Finally, we present some relations 
between the information gain of an optimal protocol and the communication 
complexity of a function. More precisely, we will give a lower bound for the leak- 
age of information that is logarithmic on the communication complexity. We will 
show that for some specific functions this general bound is tight. 

The paper is organized as follows. In the next section we give some pre- 
liminaries for communication complexity. In Section 3 we present the model of 
Bar- Yehuda et al. and we give there our analysis of their results. In Section 4 we 
discuss our measure for reviling additional information. The relation of the gain 
of additional information in randomized protocols and deterministic protocols is 
investigated in Section 5. Finally, in Section 6 we give a general relation between 
communication complexity and the additional information. 


2 Communication Protocols 

Let / be a function of two n-bit inputs x and y that are known to two par- 
ties A and B, respectively, each having unlimited computing power. The aim 
is to determine f(x,y) by alternate transmitting messages over a noiseless bi- 
nary channel according to a communication protocol. We consider two kinds 
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of protocols: deterministic and randomised. In deterministic case each message 
is determined by the input known to the party and by the previously received 
messages. We require that in every round of communication, the set of all possi- 
ble messages is prefix-free. A protocol computes / if for every (x, y) each party 
deduces correctly the value f(x,y). Let V(x,y) denote the concatenation of all 
communication messages of a protocol V exchanged between A and B during 
the computation on an input ( x,y ). Let communication complexity of proto- 
col V, denoted by C-p, be the maximum length of V(x,y), and let the com- 
munication size CS-p be the number of different strings V(x,y), over all in- 
puts (x, y). Define the deterministic communication complexity of /, denoted by 
Coif), as the smallest Cp over all deterministic protocols V computing / and 
analogously let the communication size CSo(f) be the smallest CSo(f) over 
all V. 

For the randomised protocol V on an input (x. y), to determine communica- 
tion messages A and B can use additionally random bit strings. In this paper we 
consider randomised protocols where each party A and B has access to a private 
random strings Ra and Rb, respectively. In this case the communication string 
V(x,y), defined again as the concatenation of all messages transmitted during 
an execution of V on (x, y), is a random string. 

For a general survey of communication complexity see e.g. Kushilevitz and 
Nisan [7]. 

3 Additional Information - The Model of Bar- Yehuda 
et al. 

In this section we will discuss the measuring of additional information defined 
in [1], First we give the definitions and the results of [1] and we show next that 
some of the results are false, the measures are somehow inconsistent, and they 
have rather unexpected and strange properties. 

3.1 The Results 

Let us first present the definition of privacy cost in the combinatorial setting. 
Next the information-theoretic measure and the measure that includes both 
combinatorial and information-theoretic aspects will be considered. 

To define the combinatorial measure T c (/j for a function / Bar-Yehuda et al. 
introduce a weak and a stronger definition of privacy cost. However, since the 
notions are equivalent to each other, we will recall the definition of l c using the 
notion of strong privacy only. To measure information leakage during compu- 
tation of / we use an auxiliary function h, which like /, is a function of two 
n-bit strings. The ranges of both functions can be different. Intuitively speak- 
ing, a protocol V for / leaks at most h, or equivalently is /i-private, if dur- 
ing the computation of V on (x,y) the information learned by a party about 
the input of the other party can be deduced from its own input and the value 
h(x,y). 
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Definition 1 ([1]). A protocol V for f is strongly h-private for A if 

1. for every x,y € {0, 1}” V computes the value f(x, y) correctly with probability 
1 and 

2. for every x,yi,y 2 € {0,1}”, h(x,yi ) = h(x,y 2 ) implies that for all random 
choices r of A, V(x,yi) and V(x,y 2 ) have the same distribution, namely, 
for every communication string s, 

Pr[s = V(x,yi)\r\ = Pr[s = V(x,y 2 )\r\, 

where the probability is taken over the random choices of B. 

Strong h- privacy for B is defined analogously. To give more intuition let us 
consider the Boolean function f equ defined on two n-bit strings: 


Furthermore, let us consider the (deterministic) protocol of [1] for computing 
f equ on two n-bit strings x = xix 2 . . . x n and y = yiy 2 . . . y n : 

Protocol 1. For all i = 1, 2, ... n do: 

1. A sends Xi to B\ 

2. If Xi ^ yi then B transmits 0 and exit; else if Xi = y,; then B transmits 1. 

The protocol is strongly h equ - private for both A and B, where h equ is defined as 
follows: h equ (x, y) = min{* : x^ ^ j/j} if x ^ y and h equ (x, y) = n + 1 otherwise. 
To see this, note that for the protocol V above and for every input (a;, y) and 
(x,y') it holds that V(x,y) = V(x,y') if and only if h equ (x,y) = h equ (x,y'). An 
analogous equivalence holds for every (x,y) and ( x',y ). Recall that V(x,y) for 
the deterministic protocol V denotes just the concatenation of all communication 
messages sent between A and B during the computation of V on (x, y). 

Definition 2 ([1]). Let hi and h 2 be functions of two n-bit inputs. A protocol 
V is strongly (hi-, h 2 )-private if it is strongly hi-private for A and strongly h 2 - 
private for B. A protocol V is strongly h-private if it is strongly (h, h) -private. 
A function f is strongly h-private if it has a strongly h-private protocol. 

For example, f equ is strongly /i eg , ,-private. The revealed information T c (/) and 
the additional information £ (/) required for computing / are defined by 

2c(/) = min{log 2 | range(/i)| : / is strongly h-private } 
f(/)=T c (/)-log 2 |range(/)|. 

Hence, for the the function f equ we have: 

Zc(fequ) <log 2 (n + l) and £(f) < log 2 (n + 1) - 2. (3) 

In [1] Bar-Yehuda et al. observe the following claim which is false as we will see 
in the next section. 
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Claim 1 ([1], p. 1932). A function f is privately- computable if and only if 
I c (f) = log 2 | range(/)|, i.e., if and only if £(f) = 0. 

For the min function: 


/-.<*,») = (* if * SS ' (4) 

I y otherwise, 

where x and y are interpreted as integers from {0, 1, ... ,2” — 1}, the authors 
claim that 

Claim 2 ([1], p. 1933]). 0 < £{f min ) < 1. 

This is not true, as we will see in the next section. 

Now, we recall the definition of information-theoretic measure T\ and a mea- 
sure that includes both combinatorial and information-theoretic aspects T c _; . In 
this paper we will discuss only the deterministic counterpart of these measures 
(denoted by Tf et and Tfff ) that refer to the leakage of information if the proto- 
cols are restricted to deterministic ones. 

To define X i det and X d< f one has implicitly to assume a probability distribution 
for the input x and y. Let us consider the input strings as a pair (X, Y) of random 
variables drawn from some specified distribution which is known to both parties. 
For a deterministic protocol V define 

I v (X, Y ) = max{ J(X; V{X, Y) \Y ) , t(Y: V{X, Y) |X)} 

to be the maximum of the information gained by A or B about the input of 
the other party that can be deduced from the complete communication strings 
V(X,Y) and its own input. Here I(X: Y\Z) denotes the conditional mutual 
information. The information-theoretic measure l- iet of additional information 
is defined as follows 

7 det (X, Y) = min {I-p(X, Y) : V is a deterministic protocol computing /} 
T? et (/) = sup {lf\X, Y) : (X, Y) is distributed over {0, 1}" x {0, 1}"}. 

Finally define the combinatorial-information-theoretic measure by 

I-p = sup{7p(X, Y) : (X, Y) is distributed over {0, 1}" x {0, 1}"} 

( /) = min {I-p : V is a deterministic protocol computing /}. 


3.2 Mistakes and Inconsistencies 

In the following we show that some claims of [1] are false. We start our analysis 
showing the following useful lemma: 

Lemma 1. For every function f of two n-bit inputs the revealed information 
required for computing f is bounded by n, i.e. X c (/) < n. 
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Note that the lemma does not follow from the simple relation between 1 <: and 
deterministic communication complexity that T c (/) < Coif), since Cn(f) can 
be equal to n + | range(/)|. On the other hand the bound stated in the lemma 
seems to be quite natural: One party cannot gain more than n bit of information 
about the input of the other party in the sense of Shannon. 

Proof. Let / be a two-argument function / over {0, 1}" x {0, 1}" and let V 
be an arbitrary protocol which computes / correctly with probability 1. De- 
fine the function g(x, y) = (x + y) mod 2” considering x and y as integer in 
{0, . . . , 2" — 1}. It is easy to verify that V is strongly ^-private. In fact, for every 
xi,x 2 ,yi,y 2 e {0,1}" with x\ ^ x 2 and yi ^ y 2 we have g{x 1 ,y 1 ) ^ g(xi,y 2 ) 
and g(xi,y{) ^ g(x 2 ,yi). Hence, Condition (2) of Definition 1 is fulfilled. Be- 
cause | range(g , )| = 2", we get 

l c (/) = min{log 2 | range(/i)| : / is strongly h - private } < log 2 | range(g , )| = n. 


□ 

As a counterexample of the characterisation given in Claim 1 consider the func- 
tion ip : {0, 1}" x {0, 1}" — ► {0} U {0, 1}" defined for any n> 2: 

Proposition 1. Function p can be computed privately but £{p) ^ 0. 

Proof. Note that 0^0", hence the communication matrix M v does not contain 
a forbidden submatrix: M v is not monochromatic and the first row of is not 
equivalent with any other row of the matrix. Hence by the characterisation by 
Kushilevitz and Beaver (Theorem 1) we know that ip can be computed privately. 
On the other hand according to the definition of the additional information 
required for computing ip and by Lemma 1 we can conclude that 

£{p) = Fcip) ~ log 2 | range(<^)| < n-log 2 (2" + l) < 0. 


□ 

Therefore Claim 1 is false: For privately-computable function <p we have both 
T c (p>) < log 2 |range((y?)| and £(ip) ^ 0. This example shows a strange property 
of the definition of £(tp): The additional information required for computing a 
function can be negative. 

Using again Lemma 1 one can show that Claim 2 is false: 

Proposition 2. For the function f m in defined in (4) it holds that 


Ufmin) = 


and £{fmin) = 0. 
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Proof. By Lemma 1 we get 

£(fmin) = 2c(/«m) - log 2 | range(/ mi „)( < n-log 2 (2 n ) = 0. 

It is not difficult to show that £{f m in) > 0. In fact, if X c (/ TOi „) < n then there 
exists a function h such that / mm is strongly /i-private and log 2 | range(/i)| < n. 
Consider x = 2"- 1. then for any pair yi, y 2 e {0, 1, . . . , 2 n — 1} with y\ ^ y 2 we 
have fmin(x,yi) ^ fmin{x,y 2 ). This implies the inequality h(x,yi) h(x,y 2 ), 
contradicting the assumption that log 2 | range(/i)| < n. □ 

Note that the communication matrix Mf min of f m in contains a forbidden 
submatrix (see a discussion in Section 1). Hence by Theorem 1, f min is not 
privately-computable. By Propositions 1 and 2 one can conclude 

Theorem 2. There exists a privately-computable function <p, with £(> p) ^ 0 and 
another function f, with £(f) = 0 that is not privately-computable. 

Now we will discuss some inconsistencies of the definitions for additional informa- 
tion. We will show that in fact none of these definitions suits well for measuring 
additional information properly. In Section 4 we will give a new definition for 
additional information. 

For the function ip, defined in (5), let us consider two (deterministic) protocols 
Pi and V -2 that compute <p. The protocol Pi works on x, y as follows: A sends 0 
if x = 0” and 1 otherwise. If B receives 0 then he sends y to A and otherwise B 
stops the computation. In protocol P 2 , A sends 0 if x = 0" and 1 otherwise and 
then B sends y to A. Obviously in both cases each party can determine correctly 
the value of the function at the end of the communication. Note that Pi is 
private protocol in a common sense (more precisely 1-private, see e.g. [6] for the 
definition) while P 2 is not private. We can say even more: Using P 2 A gains full 
information about the input of B. On the other hand, both Pi and P 2 are optimal 
with respect to T c . To see this, consider the function g(x,y) = (x + y) mod 2" 
used in the proof of Lemma 1. We get that both Pi and P 2 are strongly y-private 
and the optimality follows from the obvious fact that 

T c (<p) =n = | range(y) | . 

2d et and measure the additional information wrong, as well. According 
to the definition of I-p we have for both protocols Pi , P 2 

IVi = supp^yqFpjpfjy) 

= sup (x>r) max{ H{X\Y) - H(X\Pi(X,Y),Y), 

H(Y\X) - H(Y\Pi(X , Y),X)} 

= H(Y) 

and therefore I-p 1 = I-p 2 . Hence neither nor measures the additional 
information which can be gain by a party during the computation. 

Finally, let us consider the two argument functions AND and XOR. We have: 

(AND) = T^.f (XOR) = 1. 



Revealing Additional Information in Two-Party Computations 129 


But XOR can be computed privately and therefore no additional information 
can be gained during a computation of XOR. On the other hand, AND cannot be 
computed privately. 

4 Additional Information - New Measure 

In the following we will present an alternative measure for additional informa- 
tion, that is based on the information source defined in [4]. 

Definition 3. Let V be a protocol for a function f which for every x,y £ {0, 1}” 
computes the value f(x,y) correctly with probability 1. Let x £ (0, l} n , z £ 
rang e(/) and let r be a random string provided to A. Define the information 
source of A on x, z, and r as the set of different probability distributions on the 
communication strings A, holding x and r, can observe during all computations 
ofV that give the result z: 

Sp tA (x,z,r) = {(^, y (si)rpx,y(0t% ■ ■ ■) '■ V € (0,1 } n ,f(x,y) = z} 

where n x ,y{sk) = P r[P(x,y) = Sfc|r]. Define the size of the information source 
as 

s-p t A(x,z) = max \S-p t A(x, z, r) \ . 

Analogously we define S-p t s(y,z,r) - the information source of B on y, z, and 
r and the size s-p t B(y,z). 

If V is a deterministic protocol then we will omit r in S-p, A (x, z, r) and write 
just S-p t A(x, z). Now we are ready to define a new combinatorial measure for the 
additional information, analogy of l c , that we will denote by J c . 

Definition 4. The additional information ofV revealed to A is defined as 
J-p,A = max{log 2 s-p t A(x,z) : x £ (0, 1}", z £ range(/) } . 

Analogously we define J-p,B ■ The additional information that can be deduced 
running a protocol V is J-p = max{ J-p, a, The additional information 

required for computing f is 

Jc{f) = min {J-p : V is a protocol computing /}. 

We have the following characterisation of privately computable functions: 
Theorem 3. A function f is privately computable if and only if J c {f) = 0. 

The proof of the theorem is straightforward and we skip it here. 

We can redefine the measure J c in term of h - privacy used by Bar-Yehuda 
et al. (see Definition 2). 

Definition 5. Let h be a function of two n-bit inputs and let protocol V for a 
function f be strongly h-private. Analogously to Definition 3 and f let 

svA x ’ z ) = \{K x ,v) ■ v e {0,1 } n ,f(x,y) = z}\ 
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Jp A = max{log 2 Sp A {x , z) : x £ {0, l} n , z £ rang e(/) } . 
Analogously define s^, B and J BB for B. Then = max{ jif, A , Jp B }. 
Theorem 4. For every function f it holds 

J c (/) = min{ jif, : V is strongly h-private protocol for /}. 

Our measure modifies the definition of Bar Yehuda et al. [1] by considering the 
result of the function. The proof Theorem 4 uses some facts that we get from the 
derandomisation of an optimal protocol. We will present such a derandomisation 
in the next section. 

Proof ( of Theorem 4 )■ Let / be a function. We show first that 

Jc(f) < min { Jp : V is strongly /i-private protocol for /}. (6) 

Assume h is function and V is a strongly /i-private protocol for computing / 
such that Jif, is minimum among all such functions h and protocols V. By the 
definition of h - privacy we have that for every x, y -\ , t /2 £ {0,1}", h(x,yi ) = 
h(x, yf) implies that for all random choices r of A, V(x,yi) and P{x, y%) have 
the same distribution. Hence, for every x £ {0, 1}" and z £ rang e(/) we have 

svA x i z 0 < \{Hx,y): y£{0,l} n ,f(x,y) = z}\ = 

Similarly we have: sp tB (y, z) < s'fi B (y, z). Hence both J-p,A < A and J-p.n < 
Jif, B are true and therefore we get .J-p < Jlp. This implies that Inequality (6) is true. 

To see that the inverse inequality to (6) is also true, we apply Theorem 6. Let 
V be a protocol for / such that J-p is minimal among all protocols computing 
/. By Theorem 6 there exists a deterministic protocol V for / such that 

JV <JV = Jc(f). 

Since V is deterministic, we can define a function h for every x, y £ {0, 1}" as 
follows: h(x,y ) = V (x, y). Obviously, V is strongly /i-private and it is true that 
Jp, = Jpi . Hence, by the inequality above one can conclude: 

min{Jp : V is strongly /i-private protocol for /} < j!f, = Jp> < J c {f). 

This completes the proof. □ 

Using Theorem 4 we get that J c (f) < T c (/j for every function /. However 
the difference can be very big: e.g. for f min we have by Proposition 2 that 
2c (fmin) = n- On the other hand using the protocol given in [1]: 

Protocol 2. For allf = 0, 1, . . . 2" — 1 or until the first 1 is transmitted do: 

1. A transmits bit 1 if x = i and 0 otherwise; 

2. B transmits bit 1 if y = i and 0 otherwise. 
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we get that J c {fmin) < 1- Since f m in cannot be computed privately, we obtain 
the equality J c (fmm) = 1- 

For the equality function f equ (see (2)), we get I c (f equ ) < log 2 (n + 1) (com- 
pare the inequalities (3)). By the fact shown in [1] that for any deterministic 
protocol V which computes f equ there is v € {0, 1}” such that the size of the set 

{V(x, v):xG {0, 1}"} U {P(v, y):ye {0, 1}"} 

has at lest n+2 elements, we obtain for z = 0: s-p^iv, z) + sp t s{v, z) > n+2 and 
finally that J c (f equ ) > log 2 (n + 2)/2 > log 2 n — 1. Hence we get the following 
bounds: log 2 n - 1 < J c (f equ ) < tdfequ) < log 2 (n + 1). 

We close the section by giving a general lower bound for J c . Recall that a rec- 
tangle in {0, 1}" x {0, l} n is a Cartesian product R=VxH with V,HC {0, 1}". 
The rectangle R is /-constant if / is constant over R. Obviously, every protocol 
for V partitions the communication matrix Mf into /-constant rectangles. Let 
77 be the largest width of an /-constant rectangle. 

Theorem 5. For every Boolean function f of two n-bit inputs 

Jdf) > n - log 2 77 — 2. 

The proof of Theorem 3 of [1] works for our Theorem. 

Using the general bound given in the Theorem above one can find lower 
bounds for Boolean functions / communication matrix of which is of the Hadamard 
type (see [1]). From this characterisation we get e.g. that for the n- variable inner 
product mod 2 function defined as 

fin(x , y) = ^2 Xi ■ yi mod 2 (7) 


it holds that J c {fi n ) > n/2 — 2. 

5 Derandomisation 

In this section we will show that every randomized protocol V that computes 
the function / correctly with probability 1 can be simulated by a deterministic 
protocol V such that the additional information that can be deduced running 
protocol V is bounded by the additional information that can be deduced run- 
ning protocol V, i.e. J-p* < J-p. We will start by the derandomisation of the part 
of A. 

Let us assume that A performing V starts the communication and let l be 
an upper bound for the number of random bits used by A. In the algorithm 
below A simulates the t-th round of the computation of V, with t = 1,2,3, .. . 
as follows: On a given input x A computes iteratively string c t and a subset 
Rt Q {0, 1}-* of all binary strings of lengths less or equal to £, such that c t is a 
complete communication string of a computation during the first t rounds and 
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1Z t is a subset of all possible random strings that can be used by A. A string r 
is in 1Z t if there exists a computation of V such that the first t rounds of the 
computation are consistent with ct when A on x and r. Define TZo = {0,1}-^ 
and let Co be the empty string. 

1. If t is odd then for every r € TZt-i A simulates (deterministically) the t-th 
round of the computation of V on input x with the random string r that is 
consistent with the communication string c t ~ i and computes a communica- 
tion string for the tth round. Let w t be lexicographically smallest among all 
such strings. Then A computes 1Z t := {r £ F-t-i \ A sends w t on x, r, Ct-\ } 
and Ct '■= Ct-i o w t and sends w t to B. For two strings v and v\ by vov 1 we 
denote concatenation of v and v' . 

2. If t is even and u t is a message received by A from B in fth round, then 
Ct := Ct~ i o u t . 

Assume that the protocol stops in round T, then it is easy to see that for every 
input y, every possible result and every random string of B, A chooses for 
every pair of inputs x, x' the communication string s such that it is the lexico- 
graphically smallest string with Pr [P(x,y) = s|r] , Pr[P(x' ,y) = s \ r] > 0. Hence, 
inputs x, x' that gives the same distribution on y, z, r when running V gives also 
the same distribution when running the deterministic protocol V ■ 

Note that we can derandomize the part of B’s protocol analogously. Hence, 
we can conclude: 

Lemma 2. For every protocol V there exists a deterministic protocol V com- 
puting the same function, such that for every choice of x,y,z s-p' t A{x,z) < 
s-p, A (x,z) and s V ', B (y,z) < s-p, B (y,z). 

Theorem 6. For every protocol V there exists an deterministic protocol V com- 
puting the same function, such that J-p> < J-p . 

This result generalises the result of Kushilevitz [6] that a protocol can be com- 
puted privately in the two party scenario iff it can be computed privately by a 
deterministic protocol. 

Using our simulation result, we can directly deduce some bounds for the size 
of a minimal information source. Let Sf be the minimum size of the information 
source of a protocol computing /, i.e. let 

Sf = minma x.{s v , A {x, z),s VtB (y, z)} 


(note that J c (f) = log 2 s/). 

Corollary 1. Sf < CS D {f). 

Proof. Assume that Sf > CS B (f ) and let V be a deterministic protocol that 
achieve s/ and V be a deterministic protocol that achieve CSo(f)- Assume 
that Sf = s-p : a(x, z) for appropriate chosen values x,z. Then the number of 
communication strings seen by A on input x and result z when running V is 
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even higher then the number of communication strings seen by both parties 
when running V' on arbitrary inputs. Hence, the size of the information source 
when running V' is smaller than the size of the information source when running 
V - contradicting the assumption that V achieves the minimum size of the 
information source. □ 

Corollary 2. CS D (f) = min deterministic v comput es f | U x ,z S v,a( x ’ z ) I- 
Proof. Let V be a deterministic protocol for / such that 

\U X , Z S V A X > Z )\ = ..min h x , z Sv'A x ^)\ ■ 

I I deterministic V computes / I I 

Since V is deterministic every distribution in the set (J x , z Sv,a{x,z) rates ex- 
actly one communication string with a strictly positive probability. Furthermore, 
the set determines all communication strings used when running V. The claim 
follows from the observation, that V is chosen such that the number of used 
communication strings is minimal. □ 

6 Lower Bounds on Size of the Information Source 

Corollary 1 gives a general upper bound on the minimum size of the information 
source Sf. This bound is not tight. In fact, it is well known (see e.g [7]) that for the 
equality function f equ it holds that CSoifequ) > 2" and Co(f equ ) = n. On the 
other hand from the Protocol 1 it follows that for any optimal protocol V we get 
s-p t A{x,z), s VtB (y,z) < n for every x,y,z. Hence s/ equ <n< 2" < CSnifequ)- 
In this section we will prove a linear lower bound for the size of the information 
source with respect to the communication complexity, i.e. we show that for any / 
Sf e Q(C D (f)/\ range(/)|). In particular for f equ we get C D (f equ )/ 4-1 < s fequ . 

For a node v of the communication tree let X v and Y v denote the sets of input 
strings of A and B, respectively, such that on the input pairs (x. y) £ X v x Y v 
the protocol reaches v. Let s-p t A,v(x, z) denote the size of the information source 
of the subprotocol of V starting in v and restricting the inputs to X v x Y v . Let 
sv,B,v(y,z) be defined analogously. Finally, define 

range(u) = { f(x,y) | ( x,y ) &X v xY v } . 

Without loss of generality let us restrict ourselves only to the protocols V 
sending no unnecessary bits for computing the function. Formally assume that 
all internal nodes of a communication tree of V have degree at least 2. We start 
with the following observation: 

Lemma 3. Let V be a deterministic protocol computing a function f and let 
vi, ... ,Vt be a leaf-to-root path in the communication tree of P. Then for all 
i € {1, ... there exists x e X Vi ,y' e Y Vi , and z , z' e range(/) such that 


ma x{s VtA , Vi (x, z),sr,B,vi(y', z')} 


2 • |range(uj)| 
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Proof. The proof follows for i = 1 since for every leaf v, of the communication 
tree we have &p.a,vi (x, z) = Sv.B.n {y, z) = 0. 

Consider now an internal node v^, with i > 1 . Let U\ , . . . , u,i be all successors 
of Vi in the communication tree. Obviously, is one of the nodes Uj. Let us 
assume, that A has to send some message in Vi, then for all x £ X Vi C X Vi , 
V € %h-i = Yvn and .z = f(x,y): 

sv,A, Vi (x,z) =max{l, s VtA , Vi -i{x, z)}. 

On the other hand one can prove that for the information source of B we have 
sv,B, Vi (y,z) = ^2 max{l, sp tB ,uj(y,z)}. 

je{l,...,d} with zerange(Mj) 

Therefore we can bound the quantity as follows 

, , . f 1 + max{l, s-p b vt-iiy, z)} if 2 : S range(w,) for some Uj ^ Vi-i 

s v,B, Vi (y,z) > { max {l ,s v , B , Vi _,{y,z)} else. 

Assume that there are k nodes on the sub-path v \ , . . . , Vi where A sends a 
message to B. Then there exists z' £ range(n*) such that for at least 

k 

|range(uj)| 

of these nodes Vj it holds that z' £ range(nj_i) n range(u) for some direct 
successor u ^ Vj - 1 of Vj . Note that we can show simular bounds for sp t A, Vi ( x, z ) 
and s-p,B,vi{y,z) if Bob sends a message. The claim follows immediately since 
either A or B has to send some message in at least [*/ 2] of the nodes rq , . . . , v t . 

□ 


As a corollary we obtain: 

Corollary 3. For every function f of two n-bit inputs it is true 

1 < „ 

2 • \range(f)\ f 

Combining the corollary above with Theorem 6 we can conclude the following 
lower bound on the additional information: 

Theorem 7. For every function f of two n-bit inputs we have 

Mf) > log 2 C D {f) - log 2 | range(/)| - 0(1). 

7 Conclusions 

In this paper measures for revealed information required for computing / have 
been considered. We have analysed the measures given by Bar- Yehuda et al. 
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and have showed that some results presented in [1] are wrong. Moreover we 
have observed some unnatural properties of the measures. We have introduced 
a new definition for the additional information for two party protocols and have 
given some bounds for concrete functions for the additional information. We 
get e.g. that for the n-variable inner product mod 2 function it is true that 
Jc{fin) > n/2 — 2. An interesting open problem is to show lower and upper 
bounds on J c for another specific functions. A further task to do is to investigate 
a tradeoff between the additional information and the number of rounds for 
communication protocols. 
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Abstract. We propose Gate Evaluation Secret Sharing (GESS) - a new 
kind of secret sharing, designed for use in secure function evaluation 
(SFE) with minimal interaction. The resulting simple and powerful GESS 
approach to SFE is a generalization of Yao’s garbled circuit technique. 

We give efficient GESS schemes for evaluating binary gates and prove 
(almost) matching lower bounds. We give a more efficient information- 
theoretic reduction of SFE of a boolean formula F to oblivious transfer. 

Its complexity is « df , where d, is the depth of the i-th leaf of F. 

1 Introduction 

The main motivation for this work is one-round secure function evaluation (SFE). 
SFE is one of the core problems of cryptography. We consider the following one- 
round two semi-honest parties setting. Alice and Bob wish to compute a function 
/ of their inputs x and y respectively: Alice sends the first message to Bob, Bob 
replies, and Alice computes f(x,y). Both parties follow the prescribed protocol, 
but try to infer additional information from the messages they receive. This 
problem has been extensively studied, and very efficient solutions (with cost 
linear in the circuit representing /) exist (Yao’s garbled circuit [3,21,24,25,27]), 
when Alice is polytime bounded. When Alice is computationally unlimited, only 
much less efficient algorithms are known [4,9,18,19,20,26]. 

One-round SFE is particularly interesting for several reasons. Firstly, from 
a practical point of view, interaction necessarily involves latencies in message 
deliveries, and in many practical situations waiting for messages dominates the 
entire computation time. Secondly, a large volume of research, e.g. [8,12,18,19], 
aims specifically at reducing round complexity of multiparty protocols. Inves- 
tigating the two-party one-round model may help increase our understanding 
of general secure multiparty computation. Finally, the recently popular area of 
secure autonomous agent computing (see, e.g. [1,8]) relies on one-round proto- 
cols, commonly implemented via encrypted circuit constructions. A variety of 
very useful mobile agents computing simple functions may benefit from our im- 
provements. One such example, discussed in [1] , is that of a shopping agent that 
would accept a sales offer if it is below a certain threshold. 

We approach the problem in a general way by reducing SFE to oblivious 
transfer (OT). OT is a powerful primitive, and is the subject of a vast amount of 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 136-155, 2005. 
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research. It has been studied in many settings; for example, OT is instantiable 
with information-theoretic (IT) security (e.g. with noisy and quantum channels 
or a distributed sender [23]). Our SFE constructions automatically apply to all 
of the above (and many other) settings and will benefit from future OT research. 

1.1 Our Contributions and Outline of the Work 

Our main idea is a new simple way of evaluating circuit gates securely by using a 
new type of secret sharing, which we call Gate Evaluation Secret Sharing (GESS). 
Our method can be viewed as a generalization of Yao’s garbled gate evaluation 
procedure, offering a simple and powerful approach for designing efficient SFE 
protocols. Our method is flexible, and not limited to V, A, -■ gates. Circuits with 
special purpose (e.g. non-binary) gates may be designed and implemented via 
GESS to achieve better efficiency for specific functions (see, e.g., Sect. 2.6). 

We show how a composition of GESS schemes can be used to efficiently re- 
duce SFE to (parallel executions of) 1-out of-2 OT. Given a boolean formula, 
we obtain a one-round reduction, meaning that an instantiation of OT results in 
a SFE protocol, the security and round complexity of which are that of the un- 
derlying OT. Our reduction is very efficient. Previous approaches in part suffer 
from the exponential (in depth) cost of evaluation of a gate, which has intu- 
itievely appeared necessary. We break this intuition by providing a scheme for 
gate evaluation whose cost is only quadratic in the depth of the gate. Further, in 
our reduction, we don’t “pay” for the internal gates of the formula. For a depth 
d circuit, this results in a factor of approximately improvement over pre- 

vious solutions: 0(2 d d 2 ) vs 0{2 d 2 &( -^). (Like all other approaches, ours suffers 
from the fact that the number of gates may be exponential in depth. Thus, we of- 
fer polytime reduction of only NC 1 circuits.) We prove non-trivial lower bounds, 
showing that our constructions are almost optimal in the GESS framework. 

The GESS approach is especially efficient on small circuits, since it does not 
use encryption. In Sect. 2.6, we demonstrate this by a new efficient protocol 
for the Two Millionaires problem. This protocol also serves as an example of 
designing and implementing custom GESS gates. 

We start with describing previous approaches and giving conceptual and 
performance comparisons to our work (Sect. 1.2). We then present intuition for 
our approach and introduce the necessary formal definitions in Sect. 2 and 2.1. 
We present our constructions, lower bounds and performance analysis in Sect. 
2.3 - 2.5. In Sect. 2.6 we present a new solution of the Two Millionaires problem. 

In Sect. 3, we show how to use GESS to allow polytime SFE of polysize 
circuits, when Alice is polytime. In effect, we obtain another implementation 
of Yao’s garbled circuit approach for the model with polytime Alice, offering 
essentially the same computational and communication complexity as its best 
implementations. The natural and efficient handling of the computational setting 
demonstrates the generality of the GESS approach. We mention that the effi- 
ciency of Yao’s garbled circuit technique in the standard model can be (slightly) 
improved by using IT GESS on “the bottom part” of the circuit (see discussion 
in Sect. 3). 
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1.2 Comparisons with Related Previous Work 

General discussion. Note the frequent use of a variety of secret sharing schemes 
in secure multiparty computation. They are always used, however, to share se- 
crets among players. We contrast this with our novel use, where secrets are 
shared among wires and given to the player who performs reconstruction. 

We note that some of the previous approaches (e.g. [9,18,19,20]) are applica- 
ble to more general representations of functions (e.g. by arithmetic formulas or 
branching programs (BP)). Many functions may have especially efficient repre- 
sentations when not restricted to boolean formulas (the setting we consider); 
such functions may not benefit from our constructions. 

Although our reductions are efficient for polysize boolean formulas of ar- 
bitrary depth, they perform better on balanced formulas. For the latter, the 
complexity is quasi-linear (vs. cubic for highly unbalanced formulas) in the size 
of the formula. Note that it is possible ([7,6]) to rebalance any formula to obtain 
an equivalent log-depth balanced formula, at the cost of small increase in its size 
(see end of Sect. 2.4 for more discussion). 

Therefore, for the remainder of this section, assume that we are given a 
boolean formula (or an NC 1 circuit, which can be viewed as one), which is 
rebalanced if it benefits the approach considered. 

Let d be the depth of the formula or the circuit. 

Comparing our reduction to previous constant-round approaches. 

Kilian [20] was the first to show a one-round IT reduction (of complexity 
0(4 d )) of SFE to OT. Kilian relies on Barrington’s [2] representation of NC' 1 
circuits as permutation BPs. It is possible to replace Barrington’s representation 
in Kilian’s construction with a more efficient construction of Cleve [9] (see, e.g. 
Cramer et al. [10]). The resulting complexity is Q(2 d 2 e (^% which is the best 
previously known for NC 1 circuits and (re)balanced formulas. 

Ishai and Kushilevitz [18,19] suggested a way of representing a circuit 
as a predicate on a vector of degree 3 (degree of the input variables Xi is 1) 
randomizing polynomials. Their construction assigns an (exponential in d in size) 
polynomial representation to each wire of the corresponding fan-out 1 circuit, 
and implies a one-round SFE-to-OT reduction, of complexity 0(4 d ). They also 
previously suggested a related Private Simultaneous Messages (PSM) model [17] 
of computation. They showed how to evaluate functions computed by BPs in 
the PSM model (and also in our SFE-to-OT reduction model) with resources 
quadratic in the size of the BP. (Recall, BPs are more powerful than permutation 
BPs or formulas.) For our setting, their approach implies a one-round SFE-to- 
OT reduction of cost <9( 4 d ), using an (almost) linear in size transformation of a 
formula to a BP [14]. 

Our reduction of boolean formulas is simpler and more efficient (costing 
0(2 d d 2 )) than the above approaches. 

Yao’s garbled circuit approach can also be used for such reduction (see, 
e.g. [19]). The idea is to use an IT-secure two-time encryption scheme (e.g. using 
one-time pad) in Yao’s garbled circuit. The keys of such a scheme must be more 
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than twice the size of the secret, causing an exponential (in d) growth of the size 
of secrets, even in fan-in 1 circuits 1 . The complexity of such a scheme is about 
0(A d ) (up to 2 d leaves, each of size up to 2 d ). Our approach is a generalization 
and an improvement of this approach. 

Sander, Young and Yung (SYY) ([26]) present a “fully homomorphic” 
encryption scheme and apply it to SFE. The encryption size grows exponen- 
tially with the number of the applied OR operations, resulting in 0(8 d ) cost of 
SFE. Beaver [4] suggests an optimization of the SYY pyramid and extends the 
approach to the multiparty setting, achieving complexity 6>(4 rf ). Further, using 
the representation of Feige, Kilian and Naor [11] of NLOGSPACE as a product 
of polysize matrices, he shows how to compute it in one round, bootstrapping the 
SYY approach, also achieving complexity 0( 4 d ). Our approach is conceptually 
different, simpler, more composable, uses fewer assumptions, and offers complex- 
ity of at most 0(2 d d 2 ). Also, unlike SYY, we do not have the requirement of a 
layered circuit, which further increases our performance improvement. 

Finally, we mention (but do not discuss) a variety of non-constant round 
solutions (e.g. [22] and [16]). 

1.3 Our Setting 

We are working in a setting with two semi-honest participants who use ran- 
domness in their computation. A large part of our work concerns reductions of 
various problems to the OT oracle. In the semi-honest model, secure reductions 
result in secure protocols when the called oracles are replaced by their secure 
implementations. Further, the oracles’ implementations may be run in parallel, 
which, with natural OT implementations, results in secure one-round protocols. 
See Goldreich [15] for definitions, discussion and the composition theorem. 

2 The GESS Approach 

The intuition behind the GESS approach. Suppose first that the circuit C 
consists of a single binary gate G with two inputs, one held by Alice, and one 
by Bob. To transfer the value of the output wire to Alice, Bob encodes possi- 
ble values of each of the two input wires and transfers to Alice two of the four 
encodings - one for each wire. Encoding of Alice’s wire value is sent via OT. 
Each pair of encodings that can be possibly sent, has to allow the recovery of 
the corresponding to G value of the output wire, and cannot carry any other 
useful information. Consider the following example. 



1 Note the distinction between this flavour of Yao’s approach and its standard version 

for evaluation of polysize circuits (e.g. [3,25,24,21]). The latter is not a reduction to 
OT; e.g, it cannot be used to construct one-round protocols IT-secure against Alice. 
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Given the possible output values 0, 1 and the semantics of the gate G, Bob 
generates encodings of the input wires’ values (sq, s i), ( s o> s i)> such that each 
possible pair of encodings s', s" , where i,j e {0, 1}, allows to reconstruct G{i,j), 
and carries no other information. Now, if Bob sends Alice shares corresponding 
to their inputs, Alice would be able to reconstruct the value of the output wire, 
and nothing else. 

This mostly corresponds to our intuition of secret sharing schemes. Indeed, 
the possible gate outputs play the role of secrets, which are shared and then 
reconstructed from the input wires encodings (shares). 

Our next observation is that Bob need not share the values of the out- 
put wire, but instead can share their encodings, which, in turn, may be input 
shares of another gate. Thus, Alice and Bob can recursively apply the GESS 
approach to multi-gate circuits. For each wire, Alice will only be able to obtain 
one secret - the one corresponding the the value of the wire on the parties’ 
inputs. 

2.1 The Definition of Gate Evaluation Secret Sharing 

We now formally state the desired properties of the secret sharing scheme. While 
the idea of the definition is quite simple, it is somewhat burdened with notation 
due to the necessary level of formalism. For simplicity, we present the definition 
for the case of a gate with two binary inputs and a binary output, postponing 
the presentation of its most general form to Appendix A (Def. 2). A simple 
instructive example of a GESS scheme is Constr. 2 in Sect. 2.3. 

Let G be a gate with two binary inputs and a binary output. Also denote 
by G : {0,1} x {0,1} i-> {0,1} the function computed by gate G. Let SEC 
be the domain of secrets. Suppose we’ve associated a secret S{ € SEC with 
each of the two possible values i of the output wire of G. In general, distri- 
butions of so and si may be dependent, so we talk about a tuple of secrets 
(so,si) from a domain of tuples TSEC C SEC 2 associated with the output 
wire. We want to assign a share to each value of the two input wires, such that 
each combination of shares allows reconstruction of (only) the “right” secret. 
As do secrets, shares on a wire form a tuple: (s/iio, s/iu) e TSHi c (SHi) 2 
on wire 1, and (shio, shn) e TSHi C {SHi) 2 on wire 2. In our notation, 
shij e SHi is the share of the i-th input wire {i G {1,2}), corresponding to the 
value j e {0, 1}. 

Definition 1. (Gate evaluation Secret Sharing) A gate evaluation secret shar- 
ing scheme (GESS} for evaluating G as above (we also say GESS implementing 
G) is a pair of algorithms ( Shr,Rec ) (with implicitly defined secrets domain 
SEC, secrets tuples domain TSEC, two share domains SHi and SHi and two 
share tuples domains TSHi, TSHi), such that the following holds. 

The probabilistic share generation algorithm Shr takes as input a two-tuple 
of secrets (so,si) e TSEC and outputs two tuples of shares (one for each wire), 
where, Vi e {1,2}, the i-th tuple U e TSHi consists of two shares sh ij e Si?». 
The deterministic share reconstruction algorithm Rec takes as input two ele- 
ments shi e SHi and shi e SHi and outputs s e SEC. 
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Let v = (vi,V 2 ) £ {0,1} x {0,1} be a selection vector. Define the selection 
function Sel((shio, s/in), (s/ 120 , sh 2 i),v) = (shi Vl ,sh 2 V2 )- Write V± = V 2 to de- 
note that Vi and V 2 are distributed identically. 

Shr and Rec satisfy the following conditions: 

— correctness: for all random inputs of Shr and secrets tuples { sq , si) £ TSEC, 
to £ {0, l} 2 , Rec(Sel(Shr((s 0 , «i», v)) = s G(v) 

— privacy (selected shares contain no information other than the value s G („)}: 
There exists a simulator Sim, such that V(so,si) £ TSEC and any v £ 
{0, l} 2 : Sim(s G ( v )) = Sel(Shr((s 0 , si}), v) 

Observation 1. A simple generalization of this definition (required for discus- 
sion in Sect. 2.3 and 2.f) considers the identity gate Gi with a four-valued output 
wire, where each output corresponds to a pair of inputs. In this case, the secrets 
form a d-tuple (soo, — , sn), while there are still two two-tuples of shares. Note 
that we can convert GESS implementing Gi into GESS implementing any other 
binary gate by simply restricting some of the secrets to be equal. Denote the cor- 
respondence between a secret s £ SEC and the wire value v £ {0, 1} by s v. 
Then setting soi = sio = «n 1, Soo *-+ 0 gives the implementation of the OR, 
and soo = soi = sio 0,.Su 1 - of the AND gates. NOT gates can be imple- 
mented “for free” by simply eliminating them and inverting the correspondence 
of the appropriate wire ’s values and secrets. 

Observation 2. We note that, in contrast with the traditional approach of multi- 
secret sharing schemes, our definition allows the possibility that a single share 
gives out some information about a secret. It is easy to see, however, that this 
information must be common to every secret, since otherwise it is possible to 
determine whether a corresponding combination of secret/share occurred, which 
allows to easily construct a distinguisher breaking the privacy requirement of 
GESS. Further, shares of the same wire, corresponding to different values, must 
be distributed identically (otherwise a distinguisher exists). 

The definition is given for specific input and output domains, and therefore 
we do not talk about polynomial bounds on Shr and Rec. However, in practice, 
we are interested in ensembles of schemes and want them to be uniform polytime 
algorithms. We won’t insist on an ensemble of efficient simulators, because an 
efficient simulator exists if any one exists. Indeed, an efficient simulator can 
simply output Sel(Shr((so, si)), v), where at least one of the secrets sj is equal 
to s, and v is any selection vector, such that G(v) = i. 

2.2 Reduction of SFE to OT Using GESS 

Suppose Alice and Bob have a circuit C, consisting of fan-out 1 gates G\, G 2 , .... 
We formally describe a reduction of securely evaluating C on their inputs to calls 
to OT, resulting in a one-round protocol. Again, for simplicity of presentation 
we assume that all gates Gi are fan-in 2 binary gates. 

Assume that for every gate G of C, there exists a GESS GESS G :(Shr G , Rec G ) 
of Def. 1 with appropriate secret domains (as described below). We give explicit 
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constructions (e.g. Constr. 2 in Sect. 2.3) of such schemes for all gates with two 
binary inputs. We note that GESS for every other gate can be constructed (e.g. 
from Constr. 1 instantiated with GESS of Constr. 2). 

Construction 1. (Reducing SFE to OT) Bob’s precomputation. Bob starts 
with the output gate. He sets the secrets domain SEC of it to be {0,1} and sets 
the secrets tuple to (0, 1). He proceeds through gates of C recursively as follows. 

Consider a gate G. Let TSEC and a secrets tuple t = (so> si) £ TSEC are 
given for G. Let GESSq be a GESS scheme implementing G with secrets tuples 
domain TSEC C SEC 2 . Bob runs Shrc on the secrets tuple t and obtains two 
tuples of shares t\ £ TSHi and 1 2 £ TSH 2 , corresponding to the first and second 
input wires ofG respectively. Let G' be the i-th input gate ofG (i £ {0, 1}}. Then 
Bob processes G[ as follows. He treats the tuple of shares ti £ TSHi ofG’s input 
wire as the tuple of secrets of G\, and TSHi - as the secrets tuples domain of 
G'i . Bob now applies the algorithm of this paragraph to G\. 

Eventually, Bob obtains secrets tuples for all input wires of C. Note that 
Bob ’s choices of instances of GESS schemes for the gates of C are deterministic 
and built into the protocol; this explicates the corresponding Rec procedures. 

Interaction. For each input wire associated with Alice, she and Bob make 
(parallel) calls to OT oracles. Alice has the wire’s input and Bob has the tuple 
of secrets as their inputs of each of the calls. For each input wire associated with 
Bob, Bob sends Alice the corresponding secret from that wire’s tuple of secrets 2 . 

Alice’s computation. Alice obtains results of the OT and the secrets cor- 
responding to Bob’s inputs. Alice proceeds, from the top down on the circuit C, 
as follows. For each gate, Alice knows the secrets corresponding to the inputs of 
the gate, and the corresponding Rec procedure. She runs Rec on the input secrets 
and obtains the output secret. She proceeds in this manner until she obtains the 
secret corresponding to the output wire. Alice outputs this secret. 

Theorem 1 . Constr. 1 is a non- cryptographic reduction (thus unconditionally 
secure against both Alice and Bob) of SFE ofC to OT, in the semi-honest model. 


The proof of Theorem 1 is intuitive and is presented in Appendix B. 

Observation 3. A circuit C with fan-out greater than 1 can be converted into a 
corresponding (potentially very large) tree-circuit C' by duplicating C’s subtrees 
where appropriate. Equivalently, one can view the secrets as being computed and 
propagated by Bob in parallel on the same wire. Note that we, however, need not 
increase the number of corresponding OT instances due to the growth of C' rel- 
ative to C (until a certain efficiency threshold is reached). Rather, Bob’s inputs 
to OT will be longer (without the increase in the total number of bits trans- 
ferred). This will often result in significant computational and communication 
savings. 


2 This message is appended to Bob’s messages of the n-round instantiations of OT 
oracles to form an n-round protocol. 
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2.3 GESS for Gates with Two Binary Inputs 

We now present an efficient ensemble of GESS schemes (indexed by the secrets 
domains) implementing any binary gate with two binary inputs. This construc- 
tion is a building block of a more efficient Constr. 3. We present GESS for the 
1-to-l gate function G : {0, l} 2 {00, 01, 10, 11}, where G(0, 0) = 00, G(0, 1) = 

01,G(1,0) = 10,G(1,1) = 11 (see Observation 1 for justification). 

Let the secrets domain be SEC = {0, 1}”, and four (not necessarily distinct) 
secrets soo, •••Sn € SEC are given; the secret sy corresponds to the value G(i,j) 
of the output wire. Note that \SEC\ > 4 need not hold; our scheme is interesting 
even when \SEC\ > 2. 

The intuition for the design of the GESS scheme is as follows. We first 
randomly choose two strings Bo, Ri <=r SEC to be the shares shio and shu 
(corresponding to 0 and 1 of the first input wire). Now consider sh 2 o - the share 
corresponding to 0 of the second input wire. We want this share to produce either 
soo (when combined with shio) or sio (when combined with shu). Thus, the 
share sh 2 o = -Boo-Bio will consist of two blocks. One, B 00 = soo © Ro, is designed 
to be combined with Ro and reconstruct soo- The other, B io = sio © R\ , is 
designed to be combined with Bi and reconstruct sio- Share sh 2 1 = BoiBn is 
constructed similarly, setting Boi = soi © Ro and Bn = sn © R\. Note the 
indexing notation - the secret $$ is always reconstructed using By. 

Both leftmost blocks Boo and Bn are designed to be combined with the same 
share Ro, and both rightmost blocks Bio and Bn are designed to be combined 
with Ri. Therefore, we append a 0 to Bo to tell Bee to use the left block of the 
second share for reconstruction, and append a 1 to Bi to tell Bee to use the 
right block of the second share for reconstruction. Finally, to hide information 
leaked by the order of blocks in shares, we perform the following. We randomly 
choose a bit b; if b = 1, we reverse the order of blocks in both shares of wire 2 
and invert the appended pointer bits of the shares of wire 1. More formally: 

Construction 2. { GESS ensemble for gates with two binary inputs.) Let SEC = 
{0,1}” and TSEC = SEC 4 be the secrets domains. Let the secrets tuple 
(soO) •••,sn) € TSEC be given. The domains of shares are: SHi = {0, 1} x SEC 
and SH 2 = SEC 2 . Note that TSH i = SHf and TSH 2 = SH 2 . 

Shr chooses b Gr {0, 1}, Bo, Bi Gr SEC and sets blocks 
Boo = soo © Bo, Boi = soi © Ro, Bio = sio © Ru Bn = s n © Ri- 
Shr sets the tuples of shares (shio, shn) G Sffi,(s/i 2 o,s/i 2 i) G SH 2 as follows 



wire 1 

wire 2, ifb= 0 

wire 2, ifb= 1 

wire value 0 

shio — bRo 

sh 2 o = BooBio 

sh 2 o = BioBoo 

wire value 1 

shu = bRi 

sh 2 1 = BqiBu 

sh 2 1 = BuBqi 


Rec proceeds as follows. On input Shi = b'r, Sh 2 = aoai, Rec outputs r®av. 
Theorem 2. For each n G IN, Constr. 2 is a GESS scheme. 

Proof. (Sketch): To prove correctness, we need to show that no matter what the 
random choices of Shr and the wire values ii,i 2 are, Bee always reconstructs 
■ s G(n,i 2 )- Verification of correctness is simple and is moved to Appendix D. 
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We now prove security. Suppose secrets soo, — , sn are given. This determines 
the distribution on the Shr generated shares. Let the input wire values *i ,«2 be 
given. Then the distribution P on the corresponding pair of shares {shi^ , shzfe) 
and the secret s = shared by the pair are determined. The goal of the 

simulator is, given only s, to generate a pair of shares distributed identically to 
P. Note that this exactly corresponds to the privacy condition Sim(sG( i x ,i 2 )) = 
Sel(Shr(soo, ..., su), , * 2 )) ofDef. 1. 

The following natural simulator Sim(s) suffices. On input s £ SEC , Sim 
chooses a random bit d £r {0, 1} and random strings p. q £r SEC. If d = 0, 
he outputs (( d,p ), (p® s, q)), otherwise he outputs (( d,p ), (q,p®s)). The simple 
proof by case analysis is presented in Appendix D. □ 

The Permute and Point (PP) Technique. We note the application of the 
following technique: we permuted the blocks of the shares of the second wire, and 
appended pointers to the shares of the first wire, hiding information contained 
in the order of blocks. We use the same idea in all other constructions in this 
paper (of Sect. 2.4 and 2.6). We believe this technique is likely to be useful in 
many other GESS constructions; it may also have other applications. 

Observation 4. We note that the simulator Sim of Theorem 2 is the same for 
every gate function - it is only the secrets semantics that defines the semantics 
of the gate. Therefore, Sim can simulate gates without knowing what they are. 
Therefore, when this secret sharing scheme is plugged into the protocol of Sect. 
2.2, semantics of all gates are unconditionally hidden from Alice - she only knows 
the wire connections of C. 


2.4 The Main Construction - GESS for AND/OR/NOT Circuits 

Note the inefficiency of Constr. 2, causing the shares corresponding to the second 
input wire be double the size of the gate’s secrets. While, in some circuits, we 
could avoid the exponential (in depth) secret growth by balancing the direction of 
greater growth toward more shallow parts of the circuit, a more efficient solution 
is desirable. We discuss only AND/OR circuits, since NOT gates are given for 
“free” (see Observation 1). 

Recall, in Constr. 2 each of the two shares of the second wire consists of two 
blocks. Observe that in the case of OR and AND gates either left or right blocks 
of these two shares are equal. We use this property to reduce (relative to Constr. 
2) the size of the shares when the secrets are of the above form. Our key idea is 
to view the shares of the second wire as being equal, except for one block. 

Suppose each of the four secrets consists of n blocks and the secrets differ 
only in the j th block, as follows: 

Soo = ( ti ... tj- 1 t°° tj+ 1 ... t n ), ... 

S 11 = ( h ... tj - 1 tj 1 tj + 1 ... t n ), 

where Vi = l..n: tj, tj°, t® 1 , fj°, tj 1 e D, for some domain D of size k. It is 
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convenient to consider the columns of blocks, spanning across the shares. Every 
column (with the exception of the j-th) consists of four equal blocks. We stress 
that the index j is only determined by the secrets, and must not be recovered 
at reconstruction. We construct a GESS for gates with two binary inputs, where 
the size of each share of the first wire is n(k + |"log(n + 1)] ) and of the second 
wire is (n + 1 jfc. Further, each share of the first wire consists of n blocks of 
size \D\ + [~log(n + 1)], and all but one pair of corresponding blocks are equal 
between the shares. Each share of the second wire consists of n + 1 blocks of size 
|£>| and, for OR and AND gates, all but one pair of corresponding blocks are 
equal between the shares. Since the generated shares satisfy the above conditions 
on secrets, repeated application of this GESS for OR and AND gates is possible. 

The scheme’s intuition. For simplicity of presentation, we do not present 
the GESS scheme in full generality here (this is postponed to Appendix C). We 
show its main ideas by considering the case where the four secrets consist of 
n = 3 blocks each, and j = 2 is the index of the column of distinct blocks. 

Our idea is to share the secrets “column- wise” , that is to treat each of the 
three columns of blocks of the secrets as a tuple of subsecrets and share this 
tuple separately, producing the corresponding subshares. Consider sharing the 
1-st column. All four subsecrets are equal (to t\ £ D), and we share them trivially 
by setting both subshares of the first wire to a random string Ri e R D, and both 
subshares of the second wire to be Ri 8 t\. Column 3 is shared similarly. We 
share column 2 as in Constr. 2 (highlighted on the diagram), omitting the last 
step of appending the pointers and permutation. This preliminary assignment of 
shares (still leaking information due to order of blocks) is shown on the diagram. 


I Ri I j T'^t T j lR3 1 = s// id 

Ri If Rk \J[R 3 \ = shn 


Note that the reconstruction of secrets is done by XOR’ing the corresponding 
blocks of the shares, and, importantly, the procedure is the same for both types 
of sharing we use. For example, given shio and sh-n , we reconstruct the secret 
{R\ © (Ri © £l), i?2 © ( R 2 © i^ 1 )) R3 © (R3 © £3)) = soi- 

The remaining (PP) step (not shown on the diagram) is to randomly permute 
the order of the four columns of both shares of wire 2 and to append (log 4)-bit 
pointers to each block of the shares of wire 1, telling Rec which block of the 
second share to use. Note that the pointers appended to both blocks of column 
1 of wire 1 are the same. The same holds for column 3. Pointers appended to 
blocks of column 2 are different. For example, if the identity permutation was 
applied, then we will append “1” to both blocks R\, “2” to R 2 , “3” to R' 2 , and 
“4” to both blocks R 3 . Because G is either an OR or an AND gate, both tuples 


te e ti Ipl?. ffi 1 rl SSI 

1^3 © *3 1 

\Ri®ti lllife©*? 1 ! 

1^3 ffi *3 1 



iiFH 

1 t.3 1 

1 ti 1 

\tf 1 

1 £.3 1 

1 t! 1 

\ti° 1 

£.3 


te=J 

LTs 
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of shares maintain the property that all but one pairs of corresponding blocks 
are equal between the shares of the tuple. Note that it is not a problem that the 
index of the column with different entries on input wire 1 is the same as that 
on the output wire: since the adversary never sees both shares of any wire, this 
index remains unconditionally hidden. 

Construction 3. (GESS for AND/OR gates) The presented construction can 
be naturally generalized for an arbitrary number of blocks n of size k and for 
arbitrary index j of the column with differing blocks. The formal presentation of 
this general construction is postponed to Appendix C (Constr. 6). 

Theorem 3. For each n,k,j £ IN, Constr. 3 is a GESS scheme as defined by 
(a generalization of) Def. 1. 

We give the intuition of the proof and refer the reader to Appendix C for details. 
First, the correctness of the reconstruction is easily verifiable. Further, each of the 
four pairs of shares, reconstructing their corresponding secret s £ {soo, Sn}, 
has the following structure. Let s = (t\, ...,t n ). The second share in each pair 
of shares is a sequence of n + 1 randomly chosen blocks r,; from D: sh -2 = 
(n, ..., r n+ \). The first share in each pair is a sequence of n “blocks with pointers” 
sh\ = (Bi, ..., B n ), as follows. V* e {1 ..n},Bi = (jpi,bi), where p\,...,p n is a 
random permutation of a random n-element subset of {l..n + 1}, and 6, = 
U ® r Pi £ D. This implies the simulator Sim(s), required by Def. 1. 

GESS’ performance. From above, if the secrets of the output wire of G 
consist of n blocks of size k, then the secrets of G’s inputs consist of no more 
than n+ 1 blocks of size k+ [dog(n+ 1)] . Similarly, d levels deeper, wires’ secrets 
consist of no more than n + d blocks of size k + i . . </ T 1°S ( + *)] • Therefore, 

starting with one-bit secrets (n = 1, k = 1), a tree circuit will have at depth d 
secrets of size at most (d+l)(dlog(d+l) + l) = d 2 log(d+l) + dlog(d+l)-|-d-l-l. 
The shares grow very slowly: as d — > inf, the “share expansion factor” — the 
ratio of sizes of shares to sizes of secrets of a GESS scheme for a gate G at depth 
d — approaches 1. Since the gates have exactly two inputs, there are at most 2 d 
input wires to the circuit, and the total size of Bob’s secrets to be sent to Alice 
is 2 d (d 2 log(d+ 1) + dlog(d+ 1) + d+ 1) « 2 d cP logd, dominated by the 2 d term. 

Rebalancing C prior to applying the above reduction may result in sub- 
stantial performance improvement. Bonet and Buss [6] and Bshouty, Cleve and 
Eberly [7] prove the following fact (and exhibit the rebalancing procedure) . 

Let C be a (V, A, -i}-formula of leaf size m. Then for all k > 2, there is 
an equivalent {V, A, -i}-formula C', such that depthfC') < (3 k In 2) • log to, and 
leafsize(C") < m a , where a = 1 + 1+log 1 ^ fc _ 1 ^ . 

Consider a highly unbalanced C of size to. Direct application of our reduc- 
tion costs <9 (to 3 ), more than BP based approaches [17,18,19] of cost 0(m 2 ). 
Rebalancing C as above, even suboptimally setting k = 9, results in a formula 
C' of size to 125 and depth « 18.5 log to. Applying the reduction to C' yields 
a much better cost 0(m 125 log 2 to). An optimal (w.r.t. the cost of the GESS 
reduction) choice of k or better rebalancing will further improve our (but not 
BP’s) performance. 
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2.5 Lower Bounds for GESS — The Optimality of Our Constructions 

Let i,j £ {0,1}. Denote by A$ (resp. Bf) the random variable of the share 
corresponding to the wire value i of the first (resp. second) input wire. Denote 
by Sij the random variable of the secret corresponding to the gate output value 
G(i,j). Let H(-) be Shannon entropy. We start with proving a technical lemma. 

Lemma 1. For any GESS scheme implementing a gate with binary inputs, 

Proof. For simplicity, prove the lemma for i = j = 0, i.e that H{Aq) + H(Bq') > 
H(Soi\Bi) + iJ(S'io|^4i) + H(Soo\SoiSioSu). Other cases are analogous. 

First, since if(Sbi|^4o-Bi) = 0, and using the chain rule twice, obtain 
B(Ao\Bi) = HiAcSoilBi) - H(S 0 i\A 0 B 1 ) = //(A 0 S 0 i|#i) = tf(S 0 i|Bi) + 
HiAolBiSoi). Similarly, H{B 0 \A 1 ) = H{S W \A X ) + H{B 0 \A 1 S 10 ). 

By definition, A\,B\ do not reveal anything about Sqq (other than what’s 
implied by Su), and, further, Aq,Bo recover ,S'oo- Then H ( Sqo | S o i Si o S'i i ) < 

HiSoolA^So.Sn,) < /I(A 0 B 0 IA, B,So,S 10 ) < ff(A 0 IA 1 B 1 S 01 S 10 )+ 
HiBolA^SoiSw) < H(A 0 \BiSoi) + R(B 0 |^iRio). 

Thus,H(A 0 )+H(B 0 )>H{A 0 \B 1 )+H{B 0 \A 1 ) > H{S 0 i\B 1 )+H(A 0 \B 1 S 0 i)+ 
H(S'iol^i) + HiBolAj.Sw) > HiSo^Bi) + H(S w \Aj + H(S 00 \SoiS w Sn). □ 

Because all shares corresponding to the same wire must be distributed iden- 
tically (Observation 2), their entropies must be equal. Thus Lemma 1 implies 
that Vii.ia € {0,1} : H(A h ) + H(B i2 ) > MAX itje{0 + 

"(Su i)j .4, <) + //(5 fi |5 l(1 ,•)£(, ^ i)( , ,-))). ’ 

Consider non-trivial gates - those that depend on both (binary) inputs. Note 
that the gate output need not be binary. We show the optimality of constructions 
for the natural case when the secrets are drawn independently at random from 
the same domain (with only the restrictions of secrets equality imposed by the 
semantics of G). In that case, by Observation 2, H(S i ^ 1 _j)\Bi-j) = 
and = 7/(5(, qj). Consider the two possible cases. 

Case 1: there exist gate inputs i,j, s.t. G(i,j) is not equal to the gate 
value on any other inputs. This is the case for most non-trivial gates (including 
AND and OR). In this case, H(Sy|%_ J -)S (1 _ iW S( 1 _ j ) (1 __ # )^ = H(Sij) and thus 
V*i ,*2 e {0,1} : H(Ai J + H(B i2 ) > H(Si (1 _ j} ) + H(S { !_ i}j ) + H($$, This 
matches (within 1 bit) the upper bound given by Constr. 2. 

Case 2: such i,j don’t exist. Then the only non-trivial gates are XOR and 
■ XOR. GESS of Constr. 4 implements XOR and matches the lower bound of 
iJ(S' i (i_j)) + 7J(S'(i_j)j) for this case. 

Construction 4. (GESS ensemble for XOR gates.) Let SEC = {0,1}" and 
TSEC = SEC 2 be the secrets domains. Let the secrets tuple (so,si) £ TSEC 
be given. The domains of shares are set as follows: SHi = SH 2 = SEC. 

Shr chooses R £r SEC and sets shio = R, shn = so ® si ® R, s /120 = 
so © R , s /121 = si © R. 

Rec proceeds as follows. On input shi, s/ 12 , Rec outputs sh\ © sh 2 . 
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Theorem 4. For each n £ IN, Gonstr. 4 is a, GESS as defined by Def. 1. 

The proof of Thm. 4 is very simple and is omitted. 

In conclusion, for the shares Ai and Bj of the two input wires, we proved 
Theorem 5. For every GESS scheme implementing an OR or an AND gate, 
when all secrets are chosen at random from the same domain SEC and each has 
entropy H s , Vi,j £ {0, 1} : H(Af) + H(Bj) > 3 H s . 

Of course, the entropy of each share must be at least Hs- Then all possible gates 
with two binary inputs are (almost) optimally implemented by either Constr. 2 
or 4. Our Constr. 3 beats the above lower bound by exploiting common informa- 
tion among secrets. We leave open the question of exact lower bounds for this 
interesting case. We stress that the share-size-to-secret-size ratio approaching 1, 
achieved by Constr. 3, is “near optimal”. 

2.6 Application of GESS: Efficient Practical Two Millionaires 

We apply the GESS approach to give a new efficient solution to the two mil- 
lionaires problem. We design a GESS scheme for a new type of gate and use it 
to compute the Greater Than (GT) predicate. We use the intuitive circuit C 
(below) that compares bits of the parties’ inputs x and y, starting with the most 
significant, and sets the answer bit when it encounters the difference. 


i, if i e {-1,1}, 

— 1, if j = 0 A Xi <yi, 

0. 1fj = 0 A Xi = yi, 

1, if j = 0 A Xi> yi. 

Here j is ternary input and Xi and y, are bits. It is easy to see that C indeed 
computes GT: once a ternary wire is set to —1 or 1, that value is propagated to 
the output wire. We aim to minimize the expansion of the share corresponding 
to the input j. Note the double application of permute and point in Constr. 5. 
Construction 5. ( GESS ensemble for T -gates.) Let SEC= {0,1}" and TSEC= 
SEC 3 be the secrets domains. Let the secrets tuple (s-i,so,si) £ TSEC is 
given. The domains of shares are set as follows: SH\ = {0, 1} x SEC, SH% = 
({0, l} 2 x SEC) 2 and SH 3 = SEC 3 . 

Shr chooses /?<), Ry, r\,r-2,r 3 £r SEC, a £r {0,1} and b = {61,62,63} - a 
random permutation of (0, 1, 2}, where each bi is suitably represented by 2 bits. 
Shr sets the shares shu = Ai, sh^i = {Bi 0, Bn), sh 3 i = (Cm, Ca,Ci2), as shown 
on the following diagram. 



A-igg 

Ao \a 

Ai ife 

Rec, on 


Boa 

Bos, 

Cob, C 0 bn 

Cob 

M r 2 

IN 

k ® Ro ® ral hi © Ri © 


W » 

IN *1 

|s-i ® Ro ® kk ® Ri ffi 


Bla 

th & 

Cib 1 Cl b 2 

Cib 3 

= a 'r, 

Sh2 = Po bo pi bi, 

Sh 3 = C0C1C2, outputs 

r © 6 0 < © c Pa , . 
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Theorem 6. For each n £ IN, Gonstr. 5 is a GESS as defined by Def. 1. 

Proof. (Sketch): Correctness of the scheme is easily verified. The simulator 
Sim(s) chooses random a £r {0, 1 } , r*o , ■■■,r' 4 £r SEC, 0o, 0i &r {0, 1, 2}, where 
do ^ 0i- Let d[ be suitable 2-bit representations of ,3,;. Sim outputs shares [(arf), 
(/3ofo/3i r i)i (707172)), where <yp a = ;3®r2©r( l , and the other two 7 i are assigned 
r(j and r' 4 . The proof of equality of the generated distribution to the real execu- 
tion is similar to that of previous two theorems, and is omitted. □ 

Performance. Let n be the length in bits of the compared numbers. The se- 
crets corresponding to the T-gate at level i are of length i, and thus the secrets 
corresponding to the corresponding 27 and y, are of lengths 3< and 2i + 4. Thus, 
Bob needs to send Xw=i ,. n 3* = 1.5n(n+ 1) bits and perform n 1-out of-2 OT’s 
with secrets of sizes 2 + 4, ..., 2 n + 4. 

The asymptotic complexity of this GT solution is worse than that of the best 
currently known for either setting with limited Alice (Yao’s approach, see, e.g. 
[24]) or unlimited Alice [5,13]. Still, our solution performs better for comparing 
smaller numbers (n ss 60. .70), since we do not use encryption 3 . 

We note that a reduction with a complexity similar to ours (quadratic) can 
be obtained by using BP-based techniques of [19] . 


3 Extension to Evaluating Polysize Circuits 

When Alice is assumed to be polynomially bounded, all polytime computable 
functions can be efficiently evaluated. Beaver, Micali and Rogaway [3,25], Naor, 
Pinkas and Sumner [24] and Lindell and Pinkas [21] suggested one-round proto- 
cols following Yao’s [27] garbled circuit approach. 

As discussed, the OT reduction does not allow polytime evaluation of gen- 
eral polysize circuits, due to the exponential growth of combined secrets size 
for each level of general circuits. We now informally describe a natural exten- 
sion that handles this problem in the standard model. This demonstrates the 
generality and applicability of the GESS approach. The resulting solution is 
conceptually very clean, although slightly less efficient than the best known ap- 
proach. 

The protocol is essentially Constr. 1, with the following amendment. Bob 
will not propagate the secrets “up the circuit”. Instead, for a gate G with out- 
put wires u>i,...,w n and their (already computed) corresponding secrets tuples 
( Sq , .s ] ) , ..., (s'q, Si), he encrypts all the secrets corresponding to each gate value 
together. More formally, he chooses two random keys k! , k" of a semantically se- 
cure private-key encryption scheme E. He computes eo = ((.Sq, .... s'q)), e.\ = 

A fc "((s}, ...,s?}) and assigns G’s labels to be a random permutation of eo,ei. 
He then treats the keys as the secrets to be propagated, letting k! and k" cor- 
respond to wire values 0 and 1 respectively. When Bob is done, he will have 

3 This advantage is minute with standard (public-key primitive based) OT implemen- 
tations; it may be significant in other settings. 



150 V. Kolesnikov 


assigned secrets to each of the input wires and associated labels with each of the 
gates. He sends the secrets to Alice as before, additionally sending her the gate 
labels. 

Alice obtains the secret shares for the input wires and proceeds evaluation 
similarly to the previous solution. The difference now is that, after having re- 
covered a gate’s secret (which is the key for one of the associated encryptions), 
she decrypts the corresponding encryption to recover the outgoing wires’ secrets. 
To ensure that only one decryption succeeds, we impose an additional require- 
ment on the encryption scheme. Informally, we need the ranges of encryptions 
under different keys be distinct, and that Alice is able to tell which decryption 
succeeded. This is a rather weak requirement, satisfied, for example, by schemes 
with elusive and efficiently verifiable ranges, formalized in [21]. Alice then uses 
the recovered secrets as shares in computing the child gate’s secrets, and so on. 
Finally, she outputs the value of the output wire. 

Theorem 7 . The above construction securely (against computationally unlim- 
ited Bob and limited Alice) reduces SFE of polysize circuits to OT, in the semi- 
honest model. 

The proof of the theorem is rather intuitive and is presented in Appendix E. 

The performance of the resulting approach is very similar to that of the 
currently best known solutions (e.g. [21,24]). Indeed, our wire secrets are of the 
same size as theirs, and thus the only difference in performance is caused by the 
size of the gate labels. In [24], each gate has four labels of size N each 4 , where 
N is the security parameter. It is easy to see that each gate of our solution 
adds up to 6N bits to the collection of all gate labels (two secrets of length N 
expand into two shares of length N+l and two shares of length 2 IV, which then 
are encrypted and stored as labels.). Some optimization of this number is also 
possible. For example, we need not encrypt (and thus add the corresponding 
labels) for the secrets that are just larger than N. This can reduce the gate 
induced label size gate by up to 2N bits. 

We further note that in our scheme we only need to use encryptions once 
the secret sizes grow too large (i.e some threshold larger than encryption keys). 
Thus our method improves the performance of the evaluation of “the bottom 
part” of every circuit, and can be combined with Yao’s garbled circuit imple- 
mentations. 
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4 The authors also mention an optimization that allows using only three labels. 
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A The General Definition of GESS 

We give a general definition of a GESS scheme that allows to share a tuple of 
secrets. Let G be a gate with k inputs from domain Dj = Dj, x ... x D; k and 
one output from domain Do- We also denote by G : Di i-> Do the function 
computed by gate G. Let SEC be the domain of secrets and TSEC C SEC^ D ° I 
be the domain of tuples of secrets to be shared. For simplicity of presentation 
and without loss of generality, assume that all domains Di i and Do are initial 
sequences of non-negative numbers, e.g. Df t = {0, 1, 2, ..., | DjJ — 1}. 

Definition 2. (Gate evaluation Secret Sharing) A gate evaluation secret shar- 
ing scheme /GESS/ for evaluating G (we also say GESS implementing G) is a 
pair of algorithms ( Shr,Rec ) (with implicitly defined secrets domain SEC, se- 
crets tuples domain TSEC, k share domains SH\, ..., SH^ and k share tuples 
domains TSH\, ...,TSHk), such that the following holds. 

The probabilistic share generation algorithm Shr takes as input a do = |-Do|- 
tuple of secrets 

(so , ..., Sd 0 -i) € TSEC and outputs a sequence of k tuples of shares, where the 
i-th tuple ti £ TSHi consists of \Di t \ shares shij £ SH The deterministic share 
reconstruction algorithm Rec takes as input a sequence of k elements shi £ SH it 
one from each domain, and outputs s £ SEC. 

Let b = (bi,...,bk) € Di be a selection vector. Define the selection function 
Sel((shio , ..., shi\ Dli \_i ), ..., {shk o, •••, sh k \ Dlk \_i) , b) = {s/ii6x, •••, shkb k }- 
Shr and Rec satisfy the following conditions: 
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— correctness: for all random inputs of Shr and secrets tuples ( so , Sd 0 - 1) € 
TSEC, Mb € Di, Rec(Sel(Shr((so, ..., Sd 0 -i))> b)) = s G(6) 

— privacy (selected shares contain no information other than the value s G (b)) : 
There exists a simulator Sim, such that M(so, i 0 -i) € TSEC and any 
b e -D/: Sim(s G (b )) = Sel(Shr((s 0 , Sd 0 -i)), 6) 


B Proof of Theorem 1 

Proof. (Sketch): Security against Bob is trivial since he does not receive any 
messages. The intuition for the scheme’s security against Alice is that none of 
the GESS implementations leak any information. To prove security, we show how 
to construct Si 111,4 perfectly simulating the following ensemble (view of Alice): 
VIEW, 4 (a:, a) = {a;, toot, to}, where x and a are Alice’s input and output, toot 
is the sequence of messages received from the OT oracles and to is the message 
received from Bob directly. 

SimA first simulates wire secrets assignment as follows. He starts with the 
output wire, assigns its value to be a, and proceeds through gates from the 
bottom up as follows. Given gate G, its GESSg , simulator Sim G , and G’s output 
wire value v, SimA assigns values to G’s input wires according to Sima (v) . 

Eventually, SimA assigns secrets to all input wires of G. SimA outputs 
{x,m' OT ,m'}, where x is Alice’s input, m' OT and m! are (proper representa- 
tions of) the sequences of G’s input wires assignments corresponding to Alice 
and to Bob respectively. 

It is intuitive that the proposed simulator perfectly simulates Alice’s view. In- 
deed, the vector of inputs to G defines a value assignment to each wire of the circuit, 
which, in turn, defines a distribution on shares/secrets obtained (received or com- 
puted) by Alice for each wire. We prove that wire assignment of SimA perfectly 
simulates the obtained secret for each wire. It is clear that SimA perfectly assigns 
the secret corresponding to the output wire by setting it to the output of the com- 
putation he obtained as its input. Further, SimA assigns secrets to the input wires 
of the output gate G. These secrets are distributed identically to the secrets that 
Alice reconstructs for these wires, because of the perfect simulation of Sima- Pro- 
ceeding upward to the input wires, it is clear that SimA perfectly simulates all the 
wire assignments that Alice sees and reconstructs in the real execution. □ 

C The General Construction of GESS for AND/OR 
Gates 

Construction 6. (Improved GESS for gates with two binary inputs.) Let D = 
(0,l} fe and SEC = D n . Let secrets sqo, •••, sir € SEC consist of n blocks of 
length k, and differ only in the j-th block. That is, let 

Soo = ( tl ... tj - 1 tj° tj + 1 ... t n ), 

Sll = ( tl ... tj-! t Y tj + 1 ... t n ), 
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where Mi = l..n: £ D, and the index j is determined only by 

the secrets. Let TSEC C SEC 4 be the space of all tuples of the above form. 

Shr chooses Ri, ...R n , R'j &r D and a random permutation 5 7 r : {l..n + l} 

{1 ..n+ 1}. Let t = 7T — 1 be the inverse ofn. For m £ {0, 1}, Shr sets the shares 
sh\ m = {B m i, B mn ) and sh 2m = (C m i, C mn+ i), as shown on the following 
diagram. 


-B 0 i B 0 j B 0n 

Cq\ 

Coir(j) 


Gon+1 

1 *(!)«! W ... 7r(n)i? n | 

I-Rt(I) ( 

® t T (i|)”| Rj © t 

° D C-| R ’. m. 

r kfetw+n ® Mn+in 

Bn Blj| Bi n 

Cn 

Ci* (j) 

Cl*(n+1 

) c ln+1 

■k(1)Ri |...lrr(re+l).R'.|..| vr(n)R„| 

|-Rr(l) < 



d ^...R T(n+ i) © t T ( n+ |i) 


More specifically, the blocks of both shares of the first wire will be assigned 
Ri, . . . ,R n , with the exception of the j th block of the share corresponding to 
1, which will be assigned Rj. Shr then, for all i, prepends ir(i) to the i th block 
of both shares of the first wire, with the exception of the j th block of the second 
share, which gets prepended n(n + 1). 

Each ir(i)-th block of both shares of the second wire will be set to Ri ® U, with 
the exception of blocks 7r(j),7r(n + 1). Those blocks assignment is motivated by 
Construction 2. Specifically, we set the n(j)-th block of the share corresponding to 
0 to Rj ® tj° and that block of the share corresponding to 1 - to Rj ® t® 1 . We set 
the 7r (n + 1 )-st block of the share corresponding to 0 to Rb ® tj° and that block of 
the share corresponding to 1 - to Rj ® f] 1 . This completes the description of Shr. 

Rec proceeds as follows. He obtains two shares sh\ = (ind\,r\, ...,ind n ,r n ) 
and sh 2 = (oi, a n+ {). He reconstructs the secret s = (<ji, ...,cr n ) by setting 
<Ji = n ® a indi . 


Theorem 8. For each n, k,j £ IN, Construction 6 is a GESS scheme as defined 
by Def. 1. (Note that security and correctness hold w.r.t. TSEC.) 

Proof. (Sketch): The correctness of the reconstruction is easily verifiable. To 
prove security, we construct a simulator Sim(s). On input s = o\ , a n , Sim(s) 
does the following. He chooses random r[, ..., r' n+1 £r D and a random permuta- 
tion p : {l..n+l} {l..n+l}. He outputs the shares sh\ = (p(l)r / 1 , . . . , p(n)r' n ) 

and sh 2 = (o'p-i(i) ® r^_ 1(1) , . . ,,a p - i (n+1) <&r' p _ i (n+3 j| 

We now prove that Sim perfectly simulates the real-life generated shares. 
The first share is distributed identically to both of the real-life generated shares 
of the first vector. Indeed, each r, is distributed identically to each R , , Rj and /?' 
and p( 1), ..., p(n) is distributed identically to 7r(l), ...,7r(n) and to 7r(l), ..., Tr(j — 
l),7r(n+ l),7r(i + l),...,7r(n), for any j. 

As for the second share, all blocks (and their positions) are generated iden- 
tically to the real execution, with the exception of blocks in positions p{j) and 
p(n + 1). Proof of the equality of their distribution to the corresponding blocks 
of the real distribution closely follows that of Construction 2 and is omitted. □ 

8 This permutation specifies which block of the second tuple is XOR’ed with the i th 
block of the first tuple to obtain the i th block of the reconstructed secret. 
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D Case Analysis for the Proof of Theorem 2 

Proof. (Sketch): We need to consider the four possible combinations of gate in- 
put values ii,i % £ {0, 1}. We show that Sim perfectly simulates the correspond- 
ing truly generated shares. Denote random variables ( shi,sh,2 ) = (b'r,aoai) = 
Sel(Shr(soo, ..., sii), (11,12))- We write out only one case; others are analogous. 

Case = 0, i2 = 0. Thus s = «g(o,o)- 

Correctness: If b = 0, then b' = 0,s/ii = 0Ro,s/i2 = (soo © Ro,sio © Ri). 
Rec(sh\,sh,2) = Ro ® (soo © Ro) = soo = s. If b = 1, then b' = l,sh\ = 
IRo, sh.2 = (sio © Ri, soo © Ro)- Rec(shi, sh 2) = Ro® (soo © Ro) = soo = s. 
Security: Clearly, Sim(s) perfectly simulates shi . Further, s/i 2 consists of two 
blocks B 0 o = s® Ro and Rio = sio © Ri- Observe that Rio = sio © Ri is dis- 
tributed uniformly randomly on SEC (since Ri is random on SEC and secret). 
Therefore, s/12 consists of two blocks from SEC, where one block is random on 
SEC and the other is equal to s® Ro, where the non-random block is pointed 
by the bit b' of shi, Therefore Sim(s) also perfectly simulates s/12 and the pair 
(s/ii, s/12). since d is distributed identically to b' . □ 

E Proof of Theorem 7 

Proof. (Sketch): The reduction is trivially secure against Bob, since he does not 
receive any messages from Alice. To prove security against Alice, we will show 
how to simulate the input wires’ secrets and gate labels that Bob sends to Alice, 
given the output of the computation. We present the proof for binary fan-in 2 
circuits; a more general argument is readily obtained by natural generalization. 

The simulator Sim(x,b) proceeds as follows. First, it (perfectly) simulates 
the secret of the output wire by s. 

Then, for each level of the circuit, starting from the bottom, for each gate G 
of the current level: given the (previously simulated) G’s output wires’ secrets 
so, Sfc— 1, it simulates G’s input wires’ secrets and gate labels as follows. It 
chooses two random keys s', s" from the key domain of the employed encryption 
scheme. Then it computes eo = Enc s '((so, Sfc_i)), ei = Rnc s "((0, ..., 0)) and 
assigns G’s labels to be a random permutation of eo,ei. Then Sim runs the 
the simulator Sg(s') of the secret sharing scheme of G. The simulator Sc: (s') 
produces two shares (distributed identically to real execution), each of which is 
the simulation of the secret of the corresponding wire. 

Sim runs the above procedure on C “from the bottom up”, and eventually 
obtains the simulations of the input wires and gate labels, which he outputs, 
suitably formatted. 

We note the true randomness of all encryption keys and the perfect simu- 
lations of secret sharing schemes. Intuitively, the only way for an adversary to 
distinguish the simulation from the real execution is by distinguishing the sets 
of non-decrypted gate labels. However, learning anything “substantial” that way 
would mean breaking the semantic security of the employed encryption scheme, 
which can be shown by a simple hybrid argument. □ 
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Abstract. As an extension of multi-party computation (MPC), we pro- 
pose the concept of secure parallel multi-party computation which is 
to securely compute multi-functions against an adversary with multi- 
structures. Precisely, there are m functions /i,...,/ m and m adversary 
structures Ai, ...,Am, where /,; is required to be securely computed 
against an A,;-adversary. We give a general construction to build a paral- 
lel multi-party computation protocol from any linear multi-secret sharing 
scheme (LMSSS), provided that the access structures of the LMSSS al- 
low MPC at all. When computing complicated functions, our protocol 
has more advantage in communication complexity than the “direct sum” 
method which actually executes a MPC protocol for each function. The 
paper also provides an efficient and generic construction to obtain from 
any LMSSS a multiplicative LMSSS for the same multi-access structure. 

1 Introduction 

The secure multi-party computation (MPC) protocol is used for n players to 
jointly compute an agreed function of their private inputs in a secure way, where 
security means guaranteeing the correctness of the output and the privacy of the 
players’ inputs, even when some players cheat. It is fundamental in cryptography 
and distributed computation, because a solution of MPC problem implies in 
principle a solution to any cryptographic protocol problem, such as the voting 
problem, blind signature, and so on. After it was proposed by Yao [11] for two- 
party case and Goldreich, Micali, Wigderson [6] for multi-party case, it has 
become an active and developing field of information security. 

In the MPC problem, it is common to model cheating by considering an ad- 
versary who may corrupt some subset of the players. The collection of all subsets 
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that an adversary may corrupt is called the adversary structure, denoted by A, 
and this adversary is called an ^-adversary. So the MPC problem is to securely 
compute a function with respect to an adversary structure. But in practice it 
is sometimes needed to simultaneously compute several different functions with 
respect to different adversary structures, respectively. For example, in the voting 
problem n = 2t+ 1 (t > 1) voters are to select a chairman and several fellows for 
a committee at the same time from m candidates. Because the position of the 
chairman is more important than that of fellows, the voting for the chairman is 
required to be secure against a (t, n) threshold adversary, while the voting for 
the fellows is required to be secure against a (2 ,n) threshold adversary. Hence it 
makes us to propose parallel multi-party computation or extend MPC to parallel 
MPC. Precisely, in the problem of parallel multi-party computation, there are m 
functions and m adversary structures A \, ..., A rn , where /, is required 

to be securely computed against an ^-adversary. 

Obviously, secure parallel multi-party computation can be realized by de- 
signing for each function a MPC protocol with respect to the corresponding 
adversary structure, and then running all the protocols in a composite way. 
We call this the “direct sum” method. In this paper, we propose another way 
to realize parallel multi-party computation. It is well known that secret shar- 
ing schemes are elementary tool for studying MPC. Cramer, Damgard, Mau- 
rer [3] gave a generic and efficient construction to build a MPC protocol from 
any linear secret sharing scheme (LSSS). As an extension of secret sharing 
schemes, Blundo, De Santis, Di Crescenzo [2] proposed the general concept 
of multi-secret sharing schemes which is to share multi-secrets with respect to 
multi-access structures, and Ding, Laihonen, Renvall. [4] studied linear multi- 
secret sharing schemes. Based on Xiao and Liu’s work [10] about linear multi- 
secret sharing schemes (LMSSS) and the construction in [3], we give a generic 
and efficient construction to build a parallel multi-party computation proto- 
col from any LMSSS, provided that the access structures of the LMSSS al- 
low MPC at all [7]. We only deal with adaptive, passive adversaries in the in- 
formation theoretic model. When computing complicated functions, our proto- 
col has more advantage in communication complexity than the “direct sum” 
method. 

The paper is organized as follows: in Section 2 we review some basic concepts, 
such as LSSS, monotone span programs (MSP) and LMSSS. In Section 3 we give 
a clear description for the problem of secure parallel multi-party computation, 
and then obtain a generic protocol for it from any LMSSS. Furthermore we com- 
pare our protocol with the “direct sum” method in communication complexity. 
In the last section, a specific example is displayed in detail to show how our 
protocol works as well as its advantage. 


2 Preliminaries 

Since secret sharing schemes are our primary tool, first we review some ba- 
sic concepts and results about them, such as linear secret sharing schemes, 
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multi-secret sharing schemes, monotone span programs, and so on. Suppose that 
P = {Pi, ..., P n } is the set of participants and K. is a finite field throughout this 
paper. 

2.1 LSSS vs MSP 

It is well-known that an access structure, denoted by AS, is a collection of subsets 
of P satisfying the monotone ascending property: for any A' £ AS and A £ 2 P 
with A! c A, it holds that A £ AS-, and an adversary structure, denoted by A, is 
a collection of subsets of P satisfying the monotone descending property: for any 
A' £ A and A £ 2 P with A c A', it holds that A £ A. In this paper, we consider 
the complete situation, i.e. A = 2 P — AS. Because of the monotone property, for 
any access structure AS it is enough to consider the minimum access structure 
AS m defined as AS m = {de AS | VP £ A => B <£ AS}. 

Suppose that S is the secret-domain, R is the set of random inputs, and 
Si is the share-domain of Pi where 1 < i < n. A secret sharing scheme with 
respect to an access structure AS is composed of the distribution function PL : 
S x R — > Si x ■■■ x S n and the reconstruction function: for any A £ AS, 
Re = { Re a ■ {Si x • • • x S n )\A — ► S \ A £ AS}, such that the following two 
requirements are satisfied. 

(i) Correctness requirement: for any A £ AS, s £ S and r £ R, it holds 
that Rca{II{s, r)fy) = s, where suppose A = {Pj 15 ...,Pj |A| } and II{s,r) = 
(si,...,s„), then n{s,r)\ A - (sq, ..., s i|A| ). 

(ii) Security requirement: for any B g AS, i.e., B £ A = 2 P \ AS, it holds 
that 0 < H(S\II(S,R)\b) < H{S), where H{-) is the entropy function. 

In the security requirement, if H{S\II{S,R)\b) = H(S ), we call it a perfect 
secret sharing scheme which we are interested in. Furthermore, a perfect secret 
sharing scheme is linear (LSSS for short), if S, R, Si are all linear spaces over K, 
and the reconstruction function is linear [1] . 

Karchmer and Wigderson [8] introduced monotone span programs (MSP) as 
linear models computing monotone Boolean functions. Usually we denote a MSP 
by M{JC, M,ip), where M is a dxl matrix over /C and ip : {1, ..., d} — > {Pi, ..., P n } 
is a surjective labelling map which actually distributes to each participant some 
rows of M. We call d the size of the MSP. For any subset A C P, there is a 
corresponding characteristic vector 5a = (fy , 5 n ) £ {0,1}" where for 1 < 
i < n, Si = 1 if and only if Pi £ A. Consider a monotone Boolean function 
/ : {0, 1}" — ► {0, 1} which satisfies that for any A C P and B C A, /{5b) = 1 
implies J{6a) = 1. We say that a MSP M{K,,M,ip) computes the monotone 
Boolean function / with respect to a target vector ~v £ K. 1 \ {(0, ..., 0)}, if it 
holds that ~v £ .span{Afy} if and only if /{5a) = 1, where Ma consists of the 
rows * of M with ip{i) £ A and ~v £ span{MA} means that there exists a 
vector vj such that 1 7 = vjMa- Beimel [1] proved that devising a LSSS with 
respect to an access structure AS is equivalent to constructing a MSP computing 
the monotone Boolean function /as which satisfies /as {8a) = 1 if and only if 
A£AS. 
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2.2 LMSSS vs MSP 

Multi-Secret sharing schemes [2] are to share multi-secrets with respect to multi- 
access structures. Precisely, let ASi, ...,AS m be m access structures over P, 
S 1 x • • • x S m be the secret-domain, Si, ..., S n be the share-domain and R be the 
set of random inputs. Without loss of generality, we assume that S' 1 = • • • = 
S m = 1C. A linear multi-secret sharing scheme (LMSSS for short) realizing the 
multi-access structure AS \ , • • • , AS m is composed of the distribution function 

TI : K.™ X R — * Si X • • • X S n 


n(s\ ,n n (s\--- (1) 

and the reconstruction function Re = {Re\ : (S\ x • • ■ x S n ) A — »■ /C|l < * < 
to, A £ ASi}, such that the following three conditions hold: 

(i) S i, • • • ,S n and R are finitely dimensional linear spaces over 1C, i.e., there 
exist positive integers d k , 1 < k < n, and Z such that Sk = lC dk and R = K. 1 . 
Precisely, in the equality (1), we have that U^s 1 , • • • ,s m ,r ) £ lC dk for 1 < k < 
n. Furthermore, denote 

Ilkis 1 ,--- ,s m ,r) = (n kl (s 1 ,--- ,s m ,r),--- ,n kdk (s\--- ,s m ,r )) 


where IIkj(s 1 ,- ■ ■ ,s m ,r) £ /C and 1 < j < d k - Usually d = X)"=i ' s called the 
size of the linear multi-secret sharing scheme. 

(ii) The reconstruction function is linear. That is, for any set A £ AS 1 ,;, 1 < 
i < m, there exists a set of constants {a l k - £ /C|l < k < n, P k £ A, 1 < j < d k } 
such that for any s 1 ,...,s m £ /C and r £ R, s l = Re\{II{s 1 , ..., s m , t)|a) = 
Y^i Pk eA 2j=i a kj^kj{s l , • • ■ s m ,r). 

(iii) Security requirement: For any set B C {Pi, • • • , P„ } , T C {S 1 , • • • , S m }\ 
{S i \B £ AS U l <i<m}, it holds that H(T\B) = H(T) , where H(-) is the 
entropy function. 


Similar to the equivalence relation of LSSS and MSP, Xiao and Liu [10] studied 
a corresponding relation between LMSSS and MSP computing multi-Boolean 
functions. Let M.(1C, M, ip) be a MSP with the d X l matrix M and : 

{0,1}” — ► {0,1} be m monotone Boolean functions. Suppose v {, ...,% are m 
linear independent Z-dimension vectors over 1C, then it follows that m < Z. In 
practice, we always have m < Z in order to use randombits. Then M. can compute 
the Boolean functions /i, ..., f m with respect to v} , .... if for any 1 < k < m 
and 1 < ii < ■ ■ ■ < i k < m, the following two conditions hold: 


(i) For any AC P, (5a) = ■ ■ ■ = fi k (SA ) = 1 implies that £ span{M^} 
for 1 < j < k. 

(M a \ 


(ii) For any AC P, f i% (5 a) = •■■=/<* (A) = 0 implies that Rank 




Rank M A + k. 
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After a proper linear transform, any MSP computing the multi-Boolean func- 
tion f ASi , ■ ■ ■ ) f As m with respect to 1 can be converted into a MSP 
computing the same multi-Boolean function with respect to e \ , • • • , e^, where 
ef = (0, ...,0,1,0, 0) G K} for 1 < i < to. So without loss of generality we 
always assume the target vectors are el , ■ ■ ■ ,eff. 

Theorem 1. [10] Let ASi,- ■ ■ ,AS m be m access structures over P and f as i , • • • , 
f ASm be the corresponding characteristic functions. Then there exists a linear 
multi-secret sharing scheme realizing AS \ , • • • , AS m over a finite field K, with 
size d if and only if there exists a monotone span program computing monotone 
Boolean functions fASi 5 • • ■ , fAS m with size d. 

Actually, let be a MSP computing monotone Boolean functions 

/aSi, • • • , fAS m with respect to el, ■ ■ ■ ,e]f, where M is a d x l matrix. Then 
the corresponding LMSSS realizing ASi , • • • , AS m over 1C is as follows: For any 
multi-secret (s 1 , ..., s m ) G tC m and random input ~p G K}~ m , the distribution 
function is defined by 

n(s \--- ,s m ,~p) = ((s 1 ,--- , s m , ~p)(Mp 1 ) T , ■ ■ ■ , (s 1 , * * * ,s m ,~p)(M Pn ) T ), 

where “r” denotes the transpose and M Pk denotes M restricted to those rows 
i with ip(i') = Pk, 1 < * < d, 1 < k < n. As to reconstruction, since e] G 
span{MA} for any A G ASi, Le., there exists a vector if such that e| = if M a, 
then 

8* = ^, ■■■,s m , 7?)^ t = (*S ■ ■ • . s m a){lfMAY = (a 1 , • ■ • , s m ,y){M A yif T , 

where (s 1 , • • • , s m , ~p)(Ma) t are the shares held by players in A and if can be 
computed by every participant. 

3 Parallel Multi-party Computation 

3.1 Concepts and Notations 

The problem of secure MPC for one function has been studied by many people 
and it can be stated as follows: n players Pi , . . . , P n are to securely compute 
an agreed function /(: n, = (yi, ... ,y n ) against an M-adversary, where Pi 

holds private input Xi and is to get the output yi. The security means that 
the correctness of the outputs and the privacy of players’ inputs are always 
guaranteed no matter which set in A is corrupted by the adversary. In fact the 
function / can be represented as / = (/i, •••,/«) where fi(x-i . .... x n ) = yi for 
1 < i < n. As the general way of treating the MPC problem, we assume that the 
functions involved thereafter are all of the form of /, . So the MPC problem can 
be seemed as securely computing n functions with respect to the same adversary 
structure. As a natural extension, it is reasonable to consider securely computing 
multi-functions with respect to multi-adversary structures. Thus we propose the 
concept of secure parallel multi-party computation. 
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Precisely, there are m functions fi(x\, ..., x n ), ..., f m (xi , ..., x n ) and m corre- 
sponding adversary structures A\, ■■■,A m . For 1 < i < n, player Pi has private 
input where is Pi s input to the function fj(x\, ...,x n ). 

So the final value of fj is fj(xP,xP. ...,Xn' > ). An (Mi, A m )-adversary can 
corrupt any set in A\ U • • • U A m . The n players are to securely compute the 
multi-function against an (Mi , ..., M m /adversary, that is, for any cor- 

rupted set B G Ai x fl- • -r\Ai h , where 1 < i\ < ■ ■ ■ < ik < m and k < m, frmctions 
fix-,—, fi k are securely computed, which includes the following two aspects: 

(i) Correctness: For 1 < i < n, Pi finally gets the correct outputs of the 
functions / n , fj k . 

(ii) Privacy: The adversary gets no information about other players’ (players 
out of B) inputs for functions /,, , f lk , except what can be implied from the 
inputs and outputs held by players in B. 

The problem of secure parallel multi-party computation for the multi-function 
flt—ifm against an (Mi, .... M m )-adversary is essentially a direct composition of 
problems of secure MPC for fj against an ^-adversary where 1 < / < to. So it 
can be resolved by designing for each function and the corresponding adversary 
structure a secure MPC protocol and running them in a composite way. We 
call this a “direct sum” method. One of the results in [7] tells us that in the 
information theoretic model, every function can be securely computed against 
an adaptive, passive M-adversary if and only if A is Q2, where Q2 is the condi- 
tion that no two of the sets in the structure cover the full player set. Thus we 
evidently have the following proposition. 

Proposition 1. In the information theoretic model, there exists a parallel multi- 
party computation protocol computing m functions securely against an adaptive, 
passive (Mi, ...,A m )- adversary if and only if A\, ...,A m are all Q2. 

Cramer et al. [3] build a secure MPC protocol for one function based on the mul- 
tiplicative MSP computing one Boolean function. Here we extend it to the mul- 
tiplicative MSP computing multi-Boolean frmctions. Precisely, let M(IC,M,if) 
be a MSP described in Section 2. Given two vectors ~x = (xi , ..., Xd), ~y = 
(j/i, ..., yd) € lC d , we let ~x olf be the vector containing all entries of the form 
Xi-yj with il>(i) = if (j), and < ~x , ~y > denote the inner product. For example, let 

~x = (xu, —xXidx, —,x n i, —,x n d n ), ~y = {yu, —,yidi, —,y n i, -,ynd n ), 

where YPi = i di = d and xn , ..., x ,,^ , as well as yn,-~, yid, are the entries distrib- 
uted to Pi according to if. Then ~x olf is the vector composed of the Yfn=x df en- 
tries Xijyik, where 1 < j, k < di, 1 < * < n, and < ~x , ~y >= ]C 7 =i x ij'y%j- 

Using these notations, we give the following definition. 

Definition 1. A monotone span program M(1C, M, if) computing Boolean func- 
tions /i, ..., / TO with respect to et, • • • ,eff is called multiplicative, if for 1 < i < 
m, there exists a Yfn=i df -dimensional recombination vector rf , such that for 
any two multi-secrets (s 1 , ..., s m ), (s ' 1 , ..., s ,m ) G lC m and any ~p , ~p' G K}~ m , it 
holds that 
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s i s H =< u, (s\ s m ,~p)M T o ( s' 1 , ..., s' m , ~ o')M T > . 

In fact, when m = 1 the definition is the same as that of [3]. In the appendix 
we give an efficient and generic construction to build from any MSP a multiplica- 
tive MSP computing the same multi-Boolean function. Hence in the following 
we assume that the based MSP in Section 3.2 is already multiplicative. 


3.2 Construction from Any LMSSS 

In this section, assuming the adversary is passive and adaptive, we give a generic 
and efficient construction to obtain from any LMSSS a paralel multi-party com- 
putation protocol in the information theoretic model, provided that the access 
structures of the LMSSS allow MPC at all. Since LMSSS and MSP are equiva- 
lent, it turns out to be convenient to describe our protocol in terms of MSP’s. 
We only describe the protocol in the case m = 2 and it is a natural extension 
for m > 2. 

Suppose Ai and Ai are two adversary structures over P and they are both 
Q2. For 1 < i < n, player Pi has private input (x^, a;®) and they are to jointly 
compute functions ..., x n ) and f 2 (xi, ...x n ). Let ASi = 2 p \Mi, AS 2 = 

2 P \ A 2 , and Ad(lC, M. ip) be a multiplicative MSP computing Boolean func- 
tions fASi and /as 2 with respect to target vectors el,e 2 , where M is a d X l 
matrix over /C. How to construct such a MSP is out of concern in this paper. 
Next we describe our protocol in three phases: input sharing, computing and 
outputting. 

Input Sharing. First each player shares his private input by using the MSP 
i.e., for 1 < i < n, player Pi secretly and randomly selects in 
the set of random inputs R = JC l ~ 2 and sends (x\p\ x- 2 \ pt)(M/^.) T to player 
Pj, where 1 < j < n and j 7^ i. 

Computing. Since any function that is feasible to compute at all can be 
specified as a polynomial size arithmetic circuit over a finite field /C with ad- 
dition gates and multiplication gates, it is enough for us to discuss how to do 
additions and multiplications over 1C. Different from computing a single function, 
in parallel multi-party computation, we compute the functions simultaneously 
other than one after another. 

Precisely, suppose /1 contains p multiplications and f 2 contains q multiplica- 
tions, where p < q and the multiplication considered here is operation between 
two elements. Then in each of the first p steps, we compute two multiplications 
coming from the two functions, respectively. In each the following q — p steps, 
we continue to compute a multiplications of /2 and do nothing for /1. So after 
q steps we complete all the multiplications of both functions and get the inter- 
mediate results needed. Finally we compute all additions of both functions in 
one step. By doing so, we need less communication and random bits than the 
“direct sum” method. Furthermore, in order to guarantee security, all inputs and 
outputs of each step are multi-secret shared during computing and we call this 
condition the “invariant”. 
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Example 1. Let P = {Pi, P 2 , P3}, and /1 = x\x 3 , fi = x\x 2 + x 3 . For 1 < i < 3, 
Pi has private input (44 44 which is multi-secret shared in the Input Sharing 
phase. Since /1 contains two multiplications and /2 contains one multiplication, 
the computing phase consists of three steps. The following table shows the com- 
puting process. Note that in the table, x^ denotes an input value for the function 
fj held by P*, z\^ denotes an intermediate value held by an imaginary player 
7j, Xi and Zi are variables and %- is the function to be computed at each step, 
where 1 < i < 3 and 1 < j < 2. 



input 

to compute 

output 

Step 1 

(4444 

(4 1) ,4 2) ) 

(4444 

(211 = X 2 X 3 ,Z 12 = X!X 2 ) 

^(1) = X W X £\ Z W = x^x^) 

Step 2 

(4444 

{z[ 1 ) ,z (2) ) 

(Z 2 1 = X 2 Zi,Z 2 2 = 2l) 

{4 1) -4 1) 4 1) ,4 2} ®4 2) ) 

Step 3 

(4444 

/-_(!) J2K 
l~2 i ~2 ) 

(^31 =Z 2 ,Z 3 2 = Z 2 + X 3 ) 

(1) _ J 1 ) y (2) _ y (2) . _(2 )n 
\ z 3 ~ Z 2 > z 3 ~ Z 2 x 3 ) 


In Step 1 we do two multiplications X 2 X 3 and X\X 2 for fi and /2, respectively; 
in Step 2 we do a multiphcation X 2 Z 1 for fi and do nothing for {2; in Step 
3, we do an addition Z 2 + x 3 for f -2 and do nothing for f 3 . It is evident that 
4^ = 4^ 4^ 4^ and z 3 2 ^ = x^x^ + x% \ The invariant here means that for 
1 < i < 3, (4444’ (4444 all keep multi-secret shared by 
during computing. 

Next we discuss how to do multiplications or additions at each step. Accord- 
ing to the type of operations we execute respectively for the two functions at 
each step ( e.g . Step 1 of Example 1), there are four cases to be considered as 
follows, where “ \ ” means that no operation is actually done and the output is 
one of the inputs. Without loss of generality, in the following we assume that 
P = {P 1 ,P2,P 3 ,P 4 }. 

Case 1: (+,+). First suppose that we are to compute gi = x\ + X 2 and 


<?2 = x 3 + X 4 . The inputs (4444 are multi-secret shared such that each 
player Pj holds (4444 Pi)(Mp,) T = (44 ..., s^.) G distributed by Pi 
where 1 < i < 4. The output is to be multi-secret shared (4^+44 4^ + 44 • 
Then Pj locally computes: 


, 4 2) , pi ) {M Pj ) t + ( 4 1} , 4 2) > P2) i M Pj Y 
= + 44 4^ + 44 Pl + P2 ){M Pj ) T 


(2) 
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(4 1} . 4 2) > Pa) (Mr,. ) T + Oi 1} . 4 2) > Pi) ( m p 3 - ) t 

= (4 X > + 44 4 2) + 4 2) , ^ + pi)(M Pi y 
= (4^+44 ...,4 + 4). o) 

Actually, through (2) Pj gets shares for (4^ + 444^ + 4 2 ' > ) and through (3) 
Pj gets shares for (4^ + 44 4^ + 44- I* 1 order to guarantee security, we 
need to multi-secret share (4^ + 444^ + ) > each player must reshare his 

present shares. Precisely, by the reconstruction algorithm of the LMSSS, there 
exist ~a. b G /C^"= 1 di , such that 

+>+4 I, = E EM42+42), 4 2) +4 2, = EX>(42+42)- w 

1=1 fc=i 1=1 fe=i 

So each player Pj reshares (%2kL i a jk(sxl + 414 Efc=i &!*( 4 + 414 through 

(Efcii oifc(»ik + 4*4 Efcii &ik(4fc +4*4 PlO MT and sends each of other play- 
ers a share. Finally Pj adds up all his shares obtained from the resharing, i.e., 

BE «(»2 + 42), E m42 + 42), mw-, r 

2=1 /C=l fc=l 

= (EE««(42 +42),EE‘«(42 +42),ES')(Mp,r 
= + ’.ppfiWrX , 

which is actually Pj’s share for (®P + , x'p + 44- 

Note that if we are to compute (4^ + 44 4 ' ' + 44 & t this step, the 
equality (2) is enough and we do not need resharing any more. Although we 
only discuss adding up two items here, we can add up more items once in the 
same way. Furthermore, it is trivial to deal with multiplications with constants 
in 1C, since the constant is public. 

Case 2: (x, x). Suppose we are to compute ( gi = x\x%,g 2 = X 3 X 4 ) . Since 
M (1C, M, ip) is assumed to be multiplicative, there exist recombination vectors 
r\ T € K £'*= 1 + 2 , such that 

4 1) 4 1) =< e, (44 44 pi)-m t o (44 44 P2)-^ r >> (5) 

4 2) 4 2) =< ~t , (4 1} ,4 2) ,^)m t o (44 44 ~pI)m t > . (6) 

Pj computes (4444 ^)(MrJ t <> (4444/^)(-Mp i ) T = (ttji, —,a jd i) G 
lC d ? and (xi 1 \xf,? 3 )(M P Y r <>(x£\x?\pl)(M Pj y = (p ju .... 0 jd ,) G lC d f . 
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Prom (5) and (6) we have 


= 4 2 A 2> = ££**/%*. 


Pj reshares (Eto.1 rjWhtXiLl tjkfijk) by 
Finally, Pj computes 


n d? d ? 

E(E nkaik,^ UkPik, ~Pi){M Pj ) r 

i= 1 k = 1 fc= 1 

= E E r ik a ik,J2 E tikPik, £ Pi')( M Pj) T 

i= 1 

which is Pj' s share for {x^ x^\x^ x^). 

Case 3: (+, \) or (\,+)- Suppose we are to compute ( gi = x± + X 2 ,g 2 = 2:3). 
Similar to (4), we have = Y?j=x EfcLi &jk4fc • So eac ^ player Pj reshares 
(Efcii a ok(sik + 4)> Efcii &i*»3k) through 

(E a i*(®S + 4 } ),E h pA j k’py) MT 

k= 1 k = 1 


and finally computes 

£(£ a«(«lfc + S2k)>J2 b ik4lpi , )(MPiT = +4 13 .4 2) >E 

i=l fc=l fc=l i=l 

which is Pj’s share for (x^ + 

Case 4: (x, \) or (\, x). It is similar to the above cases and details are omitted 
here. 

Outputting. At the end of computing phase, we can see the final value 
(/i(x^, ..., x^), /2(4 2 \ •••> is multi-secret shared by using A4. If every 
player is allowed to get the value, in the last phase Pj publics his share for 
xll ^ ), fi (a^, ■ • • , Xn ^ ) ) where 1 < % < n, then every player can com- 
pute (fi(x^\ ..., Xn^), ..., Xn'*)) by the reconstruction algorithm. 

If ..., Xn^) is required to be held only by Pi and fs(x^\ ...,xffl) 

is to be held only by P 2 , all shares cannot be simply transmitted to Pi and 
P 2 . Because by doing so, Pi, resp. P 2 will also know fz(xi , ---, 2 ;^?^), resp. 
fl(x\'\ ....XrP). Fortunately, by the reconstruction algorithm, fi(x ^ , ..., 
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and fzfai , Xn' 1 ) are linear combinations of the shares that all players finally 

hold, so they can be computed through a simple MPC protocol [9] as follows, 
while keeping the privacy of the shares thus guaranteeing security for parallel 
MPC. 

Since (fi(x^\ ...,Xn^), f 2 (x^\ is multi-secret shared through M, 

suppose Pi s share for it is (sji, • • • , sui ) € K. di where 1 < i < n. Similar to the 
equality (4), we have that 


= ^2^2ai k s ik , = ^2Y2b ik s ik . 

4= 1 k = 1 4= 1 k = 1 

In order to securely compute fi(x^\ .... x ( ,i ■* ) such that only Pi learns the value 
and other players get nothing new, we need a simple MPC protocol. Precisely, 
for 1 < i < n, Pi randomly selects ryi , r^, ■ ■ ■ , G K and sets r ln = 

Yk=i a ik s ik ~ E?= i r ij ■ Then Pi secretly transmits r t j to Pj, 1 < j < n,j ^ i. 
After that Pj locally computes A j = E?= i r 4 j an< l transmits rj to P\ where 
1 < j < n. The process can be displayed as follows. 


Pi 

p i : EfcLi aikSi k -> Tu 

P% : EfcL 1 «2fcS2fc — » T21 

P n ■ Efc=l ankSnk T n i 

At = E” =1 m 

Finally, Pi computes 


Pn 

Tin 

Tin 


An = E?=l 


EfcLx oifcsifc = E"=i r i j 
EfcLl a 2k$2k = E"=l r 2j 

Efc=x = E”=l »"ni 

(8) 


- EEn, - e£>« = EE«.«» = ■ 

j=l j=l 4=1 4=1 j=l 4=1 k=l 

Similarly, f 2 {x^\ ...,xffl) can be securely computed and only P 2 gets the final 
value. 


3.3 Comparing with the “Direct Sum” Method 

Since the “direct sum” method (in Section 3.1) is a natural way to realize secure 
parallel multi-party computation, we compare our protocol (in Section 3.2) with 
it. As to the security issue, note that in our protocol all inputs and outputs for 
every step is multi-secret shared during the protocol. For any B £ Mq fl • • • C\Ai k , 
it follows that {S* 1 , C {S 1 , ..., S m } \ {S* \ B e AS{,1 < i < m}. 

By the security requirement of the LMSSS, players in B get no information 
about {S n , ..., S* fe } from the shares they hold, that is, the intermediate com- 
munication data held by players in B tells nothing about other players’ in- 
puts for functions So an adversary corrupting players in B gets 
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no information about other players’ (players out of B) inputs for functions 
fi x , fi k , except what can be implied from the inputs and outputs held by 
players in B. Hence our protocol and the “direct sum” method are of the same 
security. 

The communication complexity is an important criterion to evaluate a pro- 
tocol. By using a “ non-direct sum” LMSSS, our protocol may need less com- 
munication than the “direct sum” method, and this advantage becomes more 
evident when computing more complicated functions, i.e., the functions essen- 
tially contain more variables and more multiplications. In the next section, 
we show the advantage of communication complexity through a specific 
example. 


4 Example 

Suppose that P = {Pi, P 2 , -P 3 , Pi, P 5 } is the set of players and |/C| > 5. Let 
AS! = {A c P | \A\ > 2 and {Pi,P 2 } C A ± 0} and AS 2 = {A c P | \A\ > 
2 and {P 4 , P 5 } D A ^ 0 } be two access structures over P. The corresponding 
minimum access structures are as follows: 

(ASi) m = {{Pi,P 2 }, {Pi, Pah {Pi , P4} , {Pi,P 5 }, {P2,P 3 }, {P 2 ,P4}, {P 2 ,P 5 }} , 
(AS 2 ) m = {{P 4 , P 5 }, {Pi, P 4 }, {P 2 , P 4 }, {P 3 , P 4 }, {Pi, P 5 }, {P 2 , P 5 }, {P 3 , P 5 }} • 

Obviously, the two corresponding adversary structures Ai = 2 P \ ASi and A 2 = 
2 P \ AS 2 are both Q2. The players are to securely compute multi-functions 
fi = xi + x 2 X 3 , f 2 = X\X 2 against an (A-[ . M 2 (-adversary. For 1 < i < 5, player 
Pi has private input {x^\x'p). 

By the “direct sum” method, we need to design for fi a MPC protocol against 
an yl, -adversary where 1 < i <2. From [3] we know that the key step is to devise 
LSSS with respect to ASi and AS 2 , respectively, let 


f 11N \ 


( 0 y 

2 1 


0 1 

0 1 

, m 2 = 

0 1 

0 1 


1 1 

voy 


\ 2 ly 


and V’l, : {1, 2, • • • , 5} — > P be defined as ipi(i) = ip 2 (i) = Pi for 1 < i < 5. It 
is easy to verify that M t (IC. Mi, ipi) is a multiplicative MSP computing f as i with 
respect to (1,0) 6 K, 2 where 1 < i < 2. Then the MPC protocol follows. Note 
that the MPC protocol for computing a single function also has input sharing 
phase, computing phase and outputting phase. 
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By the protocol in Sec3.2, first we need to design a LMSSS with respect to the 

/10 1 1 \ 

00 0 
00 0 
20 1 

00 1 1 and ip : {1, 2, ..., 9} - 

00 1 0 
0 1 - 2-1 


multi-access structure ASi,AS 2 ■ Let M = 


00 2 1 
\o l - i - i / 

P be defined as <ip( 1 ) = ip{2) = Pi, ip( 3) = ^(4) = P 2 > ip( 5) = P 3 , ip( 6 ) = 
V>( 7) = Pi, ip(8) = = P 5 . It can be verified that M{K,M, ip) is a MSP 

computing f as 1 and Jas 2 with respect to the target vectors et, ej, and later we 
are to verify that A4(IC, M , ip) is multiplicative. 


Input Sharing. First for 1 < i < 3, Pi multi-secret share his private input 
(scj 1 \a;j 2 ^) by randomly choosing a G K. and sending (a^, x[ 2 \ a 2 , fa)(M Pj ) T 
to player Pj, where 1 < j < n. The following table shows the shares each player 
holds for (x^ , x < f' > ) after the phase. 




(4Vf) 

(4VF) 

Pi 

+ Ot\ + fa, fa 

X 2 3 + 0.2 + fa , fa 

x^ + az + fa, fa 

P 2 

/?i, ^ + ol 1 + /?i 

/?2j 2#2 ^ + OL 2 + /?2 

fa, 2x'£ ) + Q!3 + fa 

p 3 

Oil + fa 

02 + fa 

Os + fa 

Pa 

ai, x^ — 2ai — fa 

«2, X2 2) -2ot2~fa 

a 3 , x^ 2) -2a 3 -fa 

P 5 

2ot\+ fa, x^-ai-fa 

2 a .2 + fa, X 2 ^ — 012 — fa 

2a 3 + fa, x?> -a 3 - fa 


Denote (x\ ’ 


,cti, (3i)M T = (. 


= /,(« ,(1) J2) „(2) (3) (4) (4) (5) (5)\ 


is, Pj holds for 

It can be verified that 


J ) where 1 < k < fa, 1 < j < 5. 


= (4 1} + Q!i+/3i)-(ai+/3i), x^ ={otx+fa)+ai + (xf ) -2on~fa). (9) 


~ ~ + a 2 + fa)(x£ } + a;3 + fa) + 

-(2a4 13 + a 2 + fa) (2a4 13 + Q 3 4- fa) + ^ ( a 2 + fa)( a 3 + fa) >(10) 

xf'xf* = (“i + A)( a 2 + fa) ~ OL\a.2 + (ref 3 - 2ai - /?i)(4 2) - 2 «2 - fa) + 

(2a! + fa ) (zf - 0 . 2 - fa) + (asf 3 - «! - fa) (2a 2 + fa). (11) 

The equality (9) gives the reconstruction algorithms for {Pi, P 3 } to recover 
and for {P 3 , P 4 } to recover x[ 2 \ so as in the equality (4), we can set 

~a = (1,0, 0,0, -1,0, 0,0,0) , ~b = (0, 0,0, 0, 1, 1, 1,0,0) . 
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The equalities (10) and (11) show the MSP is multiplicative. Pre- 

cisely, if we have 


o(x£ 


Q 2 ,/3 2 )M T 

«(2)J2) 12) 12) 12) (2) 12) (2) (3) 13) 


1 ^21 > ^11 ^22 5 ^12 ^21 > ^12 ^22 5 

(4) (4) 14) (4) 14) (4) 14) (4) 15) (5) 15) (5) 15) (5) 15) (5) 

*11 *21 i *11 *22 J *12 *21 i *12 *22 ) *11 *21 ) *11 *22 ) *12 *21 ) *12 *22 . 


then as in the equality (7) the recombination vectors are as follows: 

~r = (-1,0, 0,0,0, 0,0,^, ^,0,0, 0,0, 0,0, 0,0) , 

T = (0,0, 0,0, 0,0, 0,0, 1,-1, 0,0, 1,0, 1,1,0) . 

We transmit 22 log |/C| bits of information in this phase. For simplicity, the 
functions computed in this example involve a few variables. If all variables are 
involved in each function, i.e., variables x%. .... X 5 all appear in each function, 
then we need to transmit 36 log |/C| bits in the input sharing phase, while by the 
“direct sum” method 40 log |/C| bits need to be transmitted in this phase. 

Computing. This phase consists of two steps. 

Step 1: (x,x). The output of this step is to be the multi-secret shared 
(x^xg^x^x^). From (10) and (11), we can see that in the recombination 
vector ~r only Pi , P 2 and P 3 has nonzero coefficients, and in the recombi- 
nation vector t only P 3 ,Pi and P5 has nonzero coefficients, so Pi reshares 
(«i,ui) = (- (x 2 ^ + a 2 + ft) (x 3 ^ + 013 + ft) , 0) , P 2 reshares (u 2 ,v 2 ) = {|(2x^ + 
012 + + a 3 + ft),0), P 3 reshares (u 3 ,v 3 ) = (5(02 + ft) (0:3 + ft), (a 1 + 

ft)(o;2+ft)), P4 reshares (u4,ir) = (0,-aia 2 -|-(xf)-2a:i-ft)(x2 2) -2a 2 -ft)) 
and P 5 reshares (u 5 ,v 5) = (0, (2ai+ft)(x^-a 2 -ft)+(xi 2 - l -ai-ft)(2a 2 -|-ft)). 

After resharing, as shares of («*,«*), Pi gets Ui+a' i +^' i , ft; P 2 gets ft, 2 Ui+ 
a i+ ffii ft S ets ft+fti ft gets ft, u* — 2ft — ft and P5 gets 2ft + ft, Uj — ft — ft, 
where 1 < i < 5. Finally 

Pi computes E;=i( u i + a i + Pi) = *2^*3^ + J2i=i( a i + Pi)> an< i E;= 1 Pi-> 

P 2 computes Yrt=lP'i> and Ei=l(2^i + ft + ft) = 2xj^x£^ +J2i=l( a i + Pi)'i 

P 3 computes EiLift) + ft) : 

P 4 , computes Ei = 1 a i > an d Ei=l (ft — ^ft — ft) = X^X^ — Ei=l(2ft + ft)? 

P 5 computes E;=i( 2a 4+ft)> an d E;=i (ft ~ a i ~ Pi) = x^x^ — Z)f=i( Q: i + 

ft)- 

It can be verified that they are the shares for (x^x^\x^x^) generated from 

*i 2) 4 2 > , Ei=i <4 E-=i PX- 

Step 2: (+, \). The output of this step is to be multi-secret shared (x^ + 
x^x^.xjj 2 ^). Since (x^ x^\ x^ x^) is multi-secret shared after Step 1 and 
(x^^xf 2 ^) is multi-secret shared in the Input Sharing phase, then each player 
adds his shares for (x^Xg^x^x^) to his shares for (x^,x^). By the linear 
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combinations given in (9), Pi reshares = ((x^ + ai + fti) + + 

p 3 reshares (p 3 ,q 3 ) = (-(ax + 0) - X^=iK + $)> Ei=iK + 
/?•)) and P 4 reshares (p 4 , 94 ) = (0, J^i=i + x^x^ — X^i=i(2«i + 0))- Finally, 
Pi computes ^ (p* + a" + J?f) = xj 1 -* + x^x^ + ^ (a" + /?"), and 

£/; 

P 2 computes ^ 0(, and ^ ( 2 p^ + a" + /3f) = 2 (xi P + x^x^) + 
i-1,3,4 *=1,3,4 

E w+«')i 

i=l,3,4 

P 3 computes (a" + /3"): 

P 4 computes ^ a", and ^ (qi—2a” — ,3”) = ^ (2a" +/?"); 

P 5 computes ^ (2a" + /3"), and ^ (q-i — a " — ,/3") = x^x® — 

i=l,3,4 i=l,3,4 

E (“?+«')• 

i=l,3,4 

It can be verified that they are the shares for (x^ +x^x^\x^x^) generated 
from M(x ^ + x^x^, x^x^, JT=i 3 4 a i > £i-i 3 4 

In each step dealing with multiplications, our protocol transmits at most 
361og|/C| bits of information. By the “direct sum” method, each time we do 
a multiplication it need to transmit 281og|/C| bits. Assume that f± contains p 
multiplications and fi contains q multiplications, where p < q. Then our protocol 
need transmit 36glog |/C| bits to complete all multiplications, while the “direct 
sum” method transmits 20 (p + q) log |/C bits. If p = q, we see that our protocol 
transmits Ap log /C bits less than the “direct sum” method. 

In the last step of this phase, that is, when we do additions, from the recon- 
struction algorithm given by (9) only Pi , P 3 and P 4 need to reshare their shares. 
But by the “direct sum” method, no resharing is needed when doing additions. 
So our protocol transmits at most 221og|/C| bits more than the “direct sum” 
method when dealing with additions. However, when both functions essentially 
contain large numbers of multiplications, our protocol has great advantage in 
communication complexity. 

Outputting. Assume that all players are allowed to get the final value of both 
functions. Then every player publics his share for (x^ + x[p , x^' 1 ) and 
can compute the final value by the reconstruction algorithms. If x^ + x^x^ 
is assumed to be held by Pi and x^x^ is assumed to be held by P 2 , then our 
protocol transmits at most 201og|/C| bits more than the “direct sum” method 
according to ( 8 ). Fortunately, this disadvantage is fixed, that is, it does not 
depend on the functions we compute. 
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As a whole, our protocol needs less communication than the “direct sum” 
method when computing complicated functions. 
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Appendix: Construct Multiplicative MSP 

Let Af(/C, M, ip) be a MSP computing Jas-l and f a s 2 with respect to {ei,e 2 }. 
For simplicity, we use el, resp. eZ, to denote vectors with the form (1,0, • • • ,0), 
resp. (0,1,0,- •• ,0), without distinguishing the dimensions, and the dimension 
can be determined from context. From [5] we can assume that the columns of M 
are linear independent and so d > l. Compute wl, wl be such that W\M = el 
and w^M = el, and compute v? , ..., Vd-i as a basis of the solution space to the 
linear functions ~v M = 0 . Then construct a matrix 


f mu mp 


\ 


M = 


nidi nidi 


wl T 

\ W2 T 


Vi t ■■■ Vd-l T 


vt T ■■■ Vd-l T ) 
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mu ••• mu 


where : ■ . _ ■ = M, and the blanks in M denote zero elements. So M 


\m d i ••• m d i) 

is a 3d x (2 d — l ) matrix over /C. Define a function if : {1, ..., 3d} — > {1, n} as 
follows: For 1 < k < d, if(k) = if(k)\ For d < k < 2d, ip(k) = if(k — d); For 
2d < k < 3d, ip(k) = ip(k — 2d). Therefore we get a MSP M(K , M, if). 


Proposition 2. The monotone span program Ad(tC, M, if) constructed above is 


a multiplicative MSP computing Boolean functions /aSx and Jas 2 w respect 
to target vectors {el, el}. 

Proof: Let Mf, resp. be the matrix composed of rows from the (d + 1) 
th to the 2d th row of M, resp. from the (2d + 1) th to the 3d th row of M. 



Then M{ and are two d x (2d — l) matrices, and M = I M{ I , where MO 


denotes the d x (2d — l) matrix generated by adding 2 (d — l ) all zero columns 
to the right of the original d x l matrix M. Let ^45} = {B c P | B $ AS}} 
and AS% = {B c P \ B £ AS-{\. From [5], the MSP resp. 

Af|(/C,M 2 ,'i/’) computes the Boolean function fAS resp. fAS * with respect to 

the target vector ef , resp. e 2 - 

In order to prove that M,ip) computes Boolean functions fAs x and 

f as 2 with respect to target vectors {el , &2 }, we need to prove: (l)ei& span{MA} 
iff A e ASx; (2) ej € span{M A } iff A e AS 2 ; (3) If A & ASi U AS 2 , then M 



rejects A with respect to {e? , ef}, ie. Rank I e} I = Rank Ma + 2 . 


(1) Suppose that A £ ASi. Because M.{K,,M,ij}) computes fAS x with respect 

to el, el £ span{(M0)A} C span{MA}- On the other hand, suppose that el £ 
span{MA}- If e i £ span{(M0 ) a} , then A £ AS\ because M computes with 
respect to el. Otherwise ( M{)a or {M%)a must contribute to the generation of 
el. If (M{)a contributes, it is easy to see that its contribution must be span{el}. 
So el £ span{(Mf)A}- Because M{ , ip) computes the Boolean function 

fAS% with respect to the target vector el, el £ span{(Mf)A } implies that A £ 
AS{. By the assumption Ai = 2 P — AS\ is Q2, AS} C ASi and then A £ ASi. 
Similarly, if (M%)a contributes, its contribution must be spaniel}. So el € 
sPcto{(M})a}, and thus A £ AS 2 . Because M, if) computes fAS 2 with 

respect to el, then el £ span{MA}- As a result, the contribution of (M|)a is 
included in that of (MO) a- Thus we can disregard (Ml ) a when generating el, 
and we have proved that el £ span{(M0)A, (Ml) a} implies A £ ASi. 

(2) By the discussion similar to (1), el £ span{MA} iff A £ AS 2 ; 

(3) Suppose that A $ ASi U AS 2 . It follows that 


span{(MO)A,el,el} D span{(Mf)A} = span{(MO)A,el,el} D span{(Ml)A} 
= span{(Mf)A} n span{(Ml)A} = 0 . (12) 
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So 


(M A \ /(M0) a \ 

Rank I el I = Rank el I + Rank (M()a + Rank (M%)a (13) 


= Rank (M0)a + 2 + Rank (M*)a + Rank (M^)a (14) 


(15) 


= Rank Ma + 2 , 


where the equality (13) and (15) come from the equality (12), and the equal- 
ity (If) comes from the fact that M. computes fAS i and Jas 2 with respect to 
{el, el}- _ 

Then we prove that M, ip) is multiplicative. For any si , g S 1 , S 2 , s' 2 g 
S 2 , and ~p ,~p' g K. 2d ~ l ~ 2 , denote 


{si,S2, ~p)M T = (si, S2, -p)((M0) T , (M*) T , (Mj ) r ) = (Tt,T?,lZ) 


where ~u = (si, S2,~p){M0) T g lC d , if = (si,S 2 ,"p)(M*) T g lC d and Tv = 
{ Si ,S 2 ,-$){M;) t g K d . Then using the operation notations in Section 3.1, we 
have the following: 


< 



< Ti, Ho' >= Til v' T = (si, S 2 ,~p)M T M* 



( 000 0 \ 
010 --- 0 




\000 ••• 0 


Hence A4(lC,M,ijj) is multiplicative. 
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Abstract. Micali, Rabin, and Kilian [9] recently introduced zero- 
knowledge sets and databases, in which a prover sets up a database 
by publishing a commitment, and then gives proofs about particular val- 
ues. While an elegant and useful primitive, zero-knowledge databases 
do not offer any good way to perform updates. We explore the issue 
of updating zero-knowledge databases. We define and discuss transpar- 
ent updates, which (1) allow holders of proofs that are still valid to 
update their proofs, but (2) otherwise maintain secrecy about the 
update. 

We give rigorous definitions for transparently updatable zero- 
knowledge databases, and give a practical construction based on the 
Chase et al [2] construction, assuming that verifiable random functions 
exist and that mercurial commitments exist, in the random oracle model. 
We also investigate the idea of updatable commitments, an attempt to 
make simple commitments transparently updatable. We define this new 
primitive and give a simple secure construction. 

Keywords: zero-knowledge databases, zero-knowledge sets, transparent 
updates, zero-knowledge, protocols, commitments, updatable commit- 
ments. 


1 Introduction 

Recently, zero- knowledge databases were introduced by Micali, Rabin, and Kilian 
[9]. A zero-knowledge database is a finite partial function D mapping binary 
strings to binary strings (i.e., a set of pairs of strings (a;, y) such that no two pairs 
have equal first entries but different second entries). 1 The database owner chooses 
D and “publishes” the zero-knowledge database in the form of a commitment 
that pins down the database but leaks nothing, not even its size. Once the 
database is committed, the set owner acts as a prover. on a query x, the prover 
gives a proof that either x lies outside D or D(x) = y, while still not revealing 
any further information about D. Commitments and proofs in a zero-knowledge 
database are non-interactive and done in the common random string model. 

1 Micali, Rabin, and Kilian call these simple databases “elementary” databases. All 
databases in this paper are of this simple type. 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 174-198, 2005. 
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Zero-knowledgeness is shown by exhibiting a polynomial-time simulator that 
produces a full transcript distribution (i.e., the commitment and the proofs to 
all query strings) identical to that of the real prover, knowing only “ D(x ) = y” 
or “x is not in D” for each query and at the last possible moment. While it 
is conceptually simpler to deal with computational zero-knowledge (and in fact 
computationally zero-knowledge databases were provided in earlier versions of 
their paper [5,8]), the Micali-Rabin-Kilian solution is more desirable because it 
is perfect zero-knowledge. Further, it is much more efficient as it does not involve 
complex general purpose non-interactive zero-knowledge proofs. 

Zero- knowledge databases are a powerful primitive, but they have a major dis- 
advantage in that they are static. This seems like an undesirable property in most 
applications. For example, if the database were a list of people under investigation 
for criminal activities, updates would be a critical part of the system. Naively, the 
only way to update a zero-knowledge database would be to commit to its new 
version from scratch. However, this is undesirable in two significant ways. 

— First, the running time of such an update depends on the size of D, which 
may be huge, even though the newest version may differ only on a single 
pair ( x,y ). 

— Second, it may be that those who have seen proofs of membership or non- 
membership in the original set may be entitled to, or may request again, 
the same proofs in the new set (for example, if proofs are given due to 
subscription to some service). If this is the case, the owner would have to 
reissue old proofs, which could be a huge additional expense. 

The second of these points brings up a question that is of interest: when up- 
dating such a database, should the proofs be updated as well, or should the new 
set be private even against those with old proofs? 2 Depending on the application 
in which the zero-knowledge set is used, either one may be the desirable kind of 
update. We distinguish these two types of updates by giving them different names: 

— opaque updates make the updated commitment indistinguishable from a new 
commitment (hence, the database becomes “opaque” to the users after the 
update); 

— transparent updates allow the users to determine whether their proofs are 
still valid, and provide a mechanism to update proofs (hence, “transparent” 
to proof holders). 

We focus on the problem of transparent updates for two reasons: first, we 
believe it is the more desirable of the two, as the idea of a subscription service 
of some type seems to naturally fit the idea of a zero knowledge database, and 
second, an inefficient but adequate method exists for opaquely updatable zero- 
knowledge sets, namely, reconstructing the updated commitment from scratch, 
while no method exists for transparently updatable zero-knowledge sets. 


2 It is possible that neither will hold, but it seems natural that we should want one of 
these. 
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In this paper, we define the notion of transparently updatable zero-knowledge 
databases, and show how to construct efficient transparently updatable zero- 
knowledge databases both based specifically on the Micali-Rabin-Kilian con- 
struction and on the more general construction of Chase et al [2], under the 
additional assumption that verifiable random functions exist in the random or- 
acle model. We also define the notion of an updatable commitment and give a 
computationally hiding, perfectly binding secure updatable commitment scheme. 

In appendix B, we discuss the problem of opaquely updatable zero-knowledge 
databases. 


1.1 Related Work 

Zero knowledge sets were introduced in the work of Micali, Rabin, and Kilian 
[9]. Important precursors to zero knowledge sets appeared in earlier papers by 
those authors [5,8]. Chase, Healy, Lysyanskaya, Malkin, and Reyzin [2] describe 
the notion of mercurial commitments , that is, commitments that can be “hard” 
or “soft,” an abstraction of the type of commitments used in the Micali-Rabin- 
Kilian construction, and show that any mercurial commitment scheme can be 
used to construct zero-knowledge databases. Recent work by Ostrovsky, Rackoff, 
and Smith [11] greatly enlarges the functionality of zero-knowledge databases 
by allowing more complex queries (e.g., “does the database’s support intersect 
a given string interval?”). They first design a data structure that, without any 
privacy concerns, efficiently handles complex queries, and then augment it with 
zero-knowledge proofs so as to provide privacy, constructing zero-knowledge sets 
under general assumptions. 

1.2 Structure of the Paper 

In section 2, we give notation to be used in the rest of the paper. In section 3, we 
define the security properties needed for updatable zero-knowledge databases. In 
section 4, we summarize various primitives and previous work, and introduce the 
notion of updating commitments. In section 5, we give a construction for transpar- 
ently updatable zero-knowledge databases. In section 6, we discuss the efficiency 
of our construction. We conclude and discuss open problems in section 7. 

2 Notation 

We shall follow in our notation from many previous papers, particularly from [9,1]. 

Probabilistic assignments and experiments. By x <— M we indicate that the vari- 
able x is assigned according to M. If M is a finite set, we assume x is drawn from 
the uniform distribution on M. The notation x\ <— Mi; x-i <— M 2 ; . . . denotes the 
probability distribution that arises when we first assign X\ from distribution Mi, 
thenx 2 , et cetera. Ifp is a predicate, then the notation Pr[a;i <— Mi : x 2 <— M 2 ; . . . : 
p(x i,X 2 , ■ ■ •)] denotes the probability that p is true given that distribution. 
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Databases. A database D is a set of pairs {(*1,2/1), . . . , (x n ,y n )} such that for 
any database key x there is at most one y such that (x, y) £ D. Each a:, : and each 
2 /» is a string of unbounded size. We denote by [D] the support of D, that is, the 
set {*1, . . . , x n }. To indicate that x ^ [£>] we write D(x) =_L. If x £ [£)] we write 
D(x) = y to indicate the unique string y such that (x, y) £ D. By D(x) <— y we 
mean that D shall be changed so that D(x) = y. This may involve exchanging 
one pair ( x,y ') for (x, y). or adding (x, y) to the set, or if y =_L, removing the 
pair (*, y') if any such pair is present. 

Polynomial-time adversaries. For the purposes of our definitions, adversaries are 
specified as Turing machines that repeatedly make outputs of the form (wi,Si), 
where Wi is some query and s$ is state information the adversary will use to 
make the subsequent query. When we assume that such an A is a polynomial- 
time adversary , we assume that not only is A a polynomial-time algorithm, but 
that A will ultimately make only polynomially many queries before halting. 

Adversary views. If A is an adversary, we define View^{*i <— Mi, M n } 

to be a random variable representing the randomness, inputs, and outputs of the 

adversary A through the computation of the values *1 , x n according to the 

given probabilistic experiment. Presumably, some of the probabilistic assignment 
sources M, : involve the adversary A, or the view would be trivial. 

Binary trees. We use string notation to specify nodes in a binary tree, e will be 
the root of the tree. If v is a node in the tree, vO will be the left child of v while 
vl will be the right child. Values that are stored in a tree at each node will have 
this string as a subscript; for example, a e would be the value of a stored at the 
root node e. If the depth of the tree is bounded by k, the longest strings that 
refer to nodes in the tree will be of length k. We mean by a prefix of a string s 
any string ui (including s) such that there is a string s' such that to s' = s. Note 
that if u is a prefix of s, then uj will be a node that lies on the path from e to s 
in a binary tree. 

3 Definitions 

Our goal in this section is to rigorously define transparently updatable zero- 
knowledge databases. 

3.1 Mechanics 

As with zero-knowledge databases, updatable zero-knowledge databases rely on 
a public random string a, the reference string. This string must have length 
polynomial in k, the security parameter. 

There are three types of tasks the prover will have to be able to perform. 
First of all, she will have to be able to commit to the database initially. Second, 
she will have to be able to issue proofs of membership or non-membership in the 
database for any key. Finally, she will have to be able to issue updates to the 
database. 

A verifier should be able to verify proofs and to update proofs. 
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Transparently Updatable Database Systems. We say that a quintuple of 
Turing machines, (Commit, Prove, DBUpdate, Verify, PUpdate), constitute a 
transparently updatable database system or TUDB system if none of the ma- 
chines retain state information after an execution and their computation on 
common inputs l fc , a unary string called the security parameter , and a, a binary 
string called the reference string, proceeds as follows: 

- The database commitment algorithm is Commit. On input ( D , l k , a ), Commit 
produces two outputs: (1) a string PK, called D’s public key (or commit- 
ment), and (2) a string SK, called D’s secret key. 

- The database proof algorithm is Prove. On input (D,l k ,a,PK,SK), and 
an additional input x £ {0, 1}*, Prove outputs a string ir x , called D’s proof 
about x. 

- The database update algorithm is DBUpdate. On input ( D , l fe , a, PK, SK), 
an additional input x £ {0, 1}*, and a value y £ {0, 1}* U {T}, DBUpdate 
computes a new public key PK' and a new secret key SK' for the updated 
database in which D(x) = y, and a string U called the update information 
about x and y, which will be used to update proofs. 

- The proof verifying algorithm is Verify. On input (1 k ,a,PK) and an addi- 
tional x £ {0, 1}* together with its proof n x , Verify outputs either a string 
y £ {0, 1}* (meaning that it believes y = D(x), T (meaning that it believes 
that x is outside D’s support), or reject (meaning that it detected cheating). 

- The proof update algorithm is PUpdate. On input (l k ,a,PK,PK',U), and 
an additional x £ {0, 1}* together with its proof ir x , PUpdate outputs either 
a new proof n' x , which will be called the updated proof about x, T (meaning 
that the update given by PK 1 , U was about x and so the proof cannot be 
updated), or reject (meaning that it detected cheating). 

3.2 Security Properties 

Updatable zero-knowledge databases must satisfy certain security properties: 
completeness, soundness, and zero-knowledge. We first describe the desired prop- 
erties informally, and then formalize our definitions. 

Completeness dictates that if the prover and verifier are honest, then for any 
database, if the prover updates the database any number of times, then gives 
the verifier a proof about x, and then updates the database any number of times, 
the verifier may update their proof and obtain a valid one, except with negligible 
probability, so long as D( x) was not updated after the proof was issued. 

Soundness guarantees that the prover is in fact committed to a particular 
database. That is, given the reference string a it should be hard for any prover 
to come up with a PK and any element for which it can prove two different 
values. 

The zero-knowledge property of updatable zero-knowledge databases is trickier 
to describe. Ideally, the adversary should learn nothing more than the values of 
elements for which a proof has been obtained (and possibly updated), and that 
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updates have occurred. However, we have not been able to realize this full level 
of security, and instead offer a weaker but acceptable notion of security. Each key 
x that might be included in the database will have a pseudonym N( x). Instead 
of revealing only that an update has occurred, we reveal that an update has 
occurred about the key relating to a particular pseudonym. Thus, the pattern 
of updates is revealed (since the pseudonym is constant for a constant x, so 
repeated updates on keys can be discovered). In addition, the link between a 
value x and its pseudonym N(x) will be revealed by Prove. However, we require 
that no information beyond this be revealed. 

This alone does not constitute a high enough level of security: N( x) could 
reveal information about x. One particular N that is desirable is one that an- 
swers 1 to its first input, 2 to its second distinct input, and so on. We call 
this pseudonym the pattern pseudonym Np, as revealing Np(x) for many x is 
equivalent to revealing the pattern of values. 

To say this more clearly, a system is zero-knowledge with respect to 
pseudonym N if, even given any adversary A and any database D the views 
of A in each of the following two experiments are indistinguishable. 

1. First, a random reference string cr is chosen. Then, D is chosen by A and 
given to the prover, who creates an updatable zero-knowledge database based 
on D and a, committing to it with PK while keeping SK private. Then the 
adversary adaptively chooses a sequence of strings :iq , x- 2 , . . . where either 
Xi = Query(x) or ay = Update(a:, y). When ay is a query, the prover returns 
a proof 7 Tj that either x is in the database or that a: is not in the database. 
When Xi is Update):/;, y), the prover updates so that D(x) = y and sends 
PKi, Ui to the adversary. 

2. The simulator Sim, on input only the security parameter k, produces a string 
o of the proper length, and a public key PK. The adversary adaptively 
chooses a sequence of strings xi,X 2 , ■ ■ ., where either a;,; is either Query(a;) 
or Update(x,y). If ay = Query(x), the simulator is told x, N(x), and D{ x), 
(where D is up to date, starting with the initial D), and must compute 
7 r». If Xi is an update Updatefx, y), the simulator is given N(x) and must 
compute SKi, PKi,Ui, while D is updated so that D(x) = y. Note that the 
pseudonym function N is not part of the adversary or the simulator here, but 
rather is thought of as an oracle that is only called when the game specifies. 

In the first scenario, there is no pseudonym function. In the second, the 
pseudonym function exists, however, the adversary is not directly aware of its 
presence; the adversary specifies updates Update);/:, y) which get translated into 
N{x) for the simulator. 

The concept of pseudonyms seems inevitable in any zero-knowledge database 
construction. A zero- knowledge database is in some sense a committed tree, and a 
particular element must have a unique place to reside (so that we can prove non- 
membership), which can be thought of as its pseudonym. Furthermore, we cannot 
use zero-knowledge proofs that reveal nothing about the data structure - the user 
has to learn enough to allow them to update, but this seems to be the only way to 



180 M. Liskov 


avoid revealing pseudonyms. We have not been able to conceive of a system that 
does not use pseudonyms, or that uses them but does not reveal them. 

We say a transparently updatable database is secure if it is complete, sound, 
and zero-knowledge with respect to the pattern pseudonym Np. We say it is 
secure with respect to N if it is complete, sound, and zero-knowledge with respect 
to N. Thus, while we may talk about security with respect to other pseudonyms, 
we regard Np as the only truly acceptable one. 

Efficiency Properties. In order for us to consider an updatable zero-knowledge 
database efficient, we ask that: 

— The running time of the procedure that generates the initial commitment 
may depend on the size of the database, but all other running times must 
be independent of the size. 

— None of the sizes of the outputs other than SK may depend on the number 
of updates. 

— None of the running times of any of the verifier algorithms may depend on 
the number of updates that have been performed (in a sense limiting total 
performance to linear in the number of updates, since some procedures are 
performed once per update). 

3.3 Formal Definitions 

We formalize our definitions in appendix A. 

4 Preliminaries 

Before we present our construction, we first review some crucial building blocks 
used in our construction. Some of our text follows closely from the preliminaries 
section from [9]. 

4.1 Updatable Commitments 

Here, we define updatable commitments. In an ordinary commitment scheme, 
there are two algorithms: C, which takes a message to as input and produces c 
and d, where c is the commitment, and d is the information used to open the 
commitment later, and V, which takes a commitment c, a message to, and a 
decommitment d, and checks whether c was a commitment to to, using d. Note 
that there may also be public parameters which are inputs to all algorithms, but 
for clarity we simplify. 

In an updatable commitment, there will be one more algorithm: U , which 
takes a message to and decommitment information d, and produces a commit- 
ment c, where d will be the decommitment information used to open c. The 
binding property is defined in the natural way. The hiding property is essen- 
tially that commitments be indistinguishable under a chosen message attack, 
where the adversary may ask for commitments, updated commitments, and de- 
commitments of his choice, so long as he doesn’t ask for a decommitment of the 
challenge or any message derived from the challenge through updates. 
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Our Construction. Our construction is quite simple. Given a secure perfectly 
binding commitment scheme and a secure pseudorandom permutaiton P, we 
can construct a simple computationally hiding, perfectly binding commitment 
scheme as follows: 

C(m): generate a key K for the pseudorandom permutation, a random string 
IV, and compute c\, a commitment to K under the commitment scheme 
and d\, the related decommitment information, and C2, the evaluation of the 
pseudorandom permutation on m®IV with key K. Output c = (Jci , c-2, IV), 
and d = ( K , ci, di). 

V((ci,C2,IV),m,(K,ci,di)): check that ci is a commitment to K using d\. If 
not, reject. Then, check that C2 = Pk(ju® IV). If so, accept, if not, reject. 
U(m, (K, ci,di)): compute C2 = Px{rri) and output c = (01,02). 

It is clear that any commitment is a commitment to one specific value, since 
ci specifies a unique K, and given that K, C2 specifies a unique to. Furthermore, 
C2 is the encryption of the one-block message to under CBC mode, so if this 
scheme is not hiding, then either the PRP is not pseudorandom or the underlying 
commitment scheme is not hiding. This is true even if K is used for many different 
commitments, so long as K is never revealed. 

4.2 Mercurial Commitments 

Mercurial commitments were introduced recently by Chase et al [2] with direct 
application to zero-knowledge sets and databases. A mercurial commitment is 
a commitment scheme in which there are two kinds of commitments and two 
kinds of ways to decommit. 

— A “hard commitment” is a commitment to a particular value. It can only be 
decommitted to that value, whether the decommitment is a hard or a soft 

— A “soft commitment” is a commitment to no value. It can never be hard- 
decommitted, but it can be soft-decommitted to any value. 

A mercurial commitment scheme is secure when it is hiding (in the sense that 
the type of a commitment is kept secret as well as the value if the commitment 
is a hard commitment) and binding (in the sense that the committer cannot 
break the above rules.) Mercurial commitments have a non- interactive commit- 
ment and decommitment, but require the public random string model. In fact, 
they also have a trap-door property: if the public random string is chosen by a 
simulator, the simulator can avoid the binding properties. 

4.3 Pedersen’s Commitment Scheme 

Pedersen’s commitment scheme [12] assumes the availability of a public quadru- 
ple ( p , q,g, h), where p and q are prime, q\p — 1 and g and h are generators for 
G, the cyclic subgroup of Z* of order q, for which computing discrete logarithms 
is assumed to be hard. 
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The commitment and verification algorithms are defined as follows, where all 
operations are performed modulo p : 

C{{p,q,g,h),m): randomly select r £ Z q and output (c, r), where c = g rn h r is 
the commitment string, and r is the (for the time being secret) proof. 

V((p, q, g, h),c, m, r ): If c = g m h r , then accept; else, reject. 

This commitment scheme is perfectly hiding and computationally binding. 
The mercurial commitment scheme used in [9] is based directly on this com- 
mitment scheme. Instead of using g as the base to compute g m directly, we use 
a different base for each commitment: g e for a hard commitment or h e for a 
soft commitment, and publish the base that we use as part of the commitment 
(where e is random). A soft decommitment consists of publishing r; then, it can 
be checked that c = b m h r where b is the base being used. A hard decommitment 
involves publishing r as well as e, so that it can also be checked that g e = b. 

4.4 CHLMR Zero-Knowledge Databases 

The following is a summary of the general zero-knowledge database construction 
of Chase, Healy, Lysyanskaya, Malkin, and Reyzin [2]. 

ZK databases. The construction works in the public random string model, that 
is, there is a common random reference string a. 

In order to force every key to be of length k, we first hash them to obtain 
the database {(H(x),y)}. Every node in the tree can be labelled by a string 
uj £ {0, l}- fe . At each node uj there will be the following values associated: 

— A value v u . If uj = H(x) for some x £ [D] then v w = H(D(x)). If |w| = k 
but uj ^ H(x) for any x £ [D] then v u = H( _L). If u is an internal node, 
the value v u is defined recursively as H(c w qc u i) where c u is defined below. 
Essentially, the values v w make the tree a Merkle tree. 

— A commitment c w which is either a soft commitment or a hard commitment 
to v u . 

— Decommitment information d u for the commitment c u . 

The commitment to the database is the commitment c f from the root node e. 
In order to prove that an element x is in the database, the set owner gives a 
proof consisting of: 

1. D(x), so that H(D(x)) is the value v H ( x )- 

2. For every uj that is a prefix of H(x), c u and a hard decommitment of c u , and 

3. For every uj that is a sibling along the path from e to H(x), the value c w . 

The verifier uses this to construct the values v u for every u> that is a prefix 
of H(x), and then checks the hard decommitments. 



Updatable Zero-Knowledge Databases 183 


In order to prove that an element x is not in the database, the set owner 
gives a proof consisting of: 

1. For every uj that is a prefix of H(x), c u and a soft decommitment of c u to 
v u , and 

2. For every u that is a sibling along the path from e to H(x), the value c w . 

The verifier checks as before, except that the verifier uses D(x) =_L, and that 
the decommitments are soft. 

The key to the efficiency of the construction is the use of mercurial com- 
mitments. If ordinary commitments were to be used, the entire tree of depth 
k would have to be computed, which is clearly exponential. However, the tree 
is constructed so that soft commitments are used for any node that has no de- 
scendents in the data set, which allows the prover to not compute those parts of 
the tree ahead of time, but allows the prover to compute those parts of the tree 
when necessary, and be able to decommit. 

4.5 Verifiable Random Functions 

Verifiable random functions or VRFs were first presented by Micali, Rabin, and 
Vadhan [10], and subsequent constructions appear in [6,3]. A verifiable random 
function consists of four algorithms: a key generating algorithm GenVRF that 
produces a pair ( PK , SK ) on input 1 k . an algorithm ComputeVRF that computes 
fsic(x), an algorithm ProveVRF that gives proofs 7r that a value y = fsK(x) is 
correctly generated from x, and an algorithm VerVRF that verifies proofs, with 
the following informal properties: 

1. If ( PK,SK ) are generated from GenVRF, and y is generated from 
ComputeVRF(S'A', x) and 7r is generated from ProveVRF (S' A, x), then 
VerVRF(PA, x, y, tt) will accept. 

2. fsK is a pseudorandom function, even to an adversary that may request 
both outputs and outputs with proofs, so long as the two sets of queries do 
not overlap. 

3. No adversary can produce a (PK, SK) pair for which it can give proofs that 
will be verified for incorrect values. 

In particular, note that no adversary should be able to compute fsic(x) given 
x and PK. 

5 Our Construction 

We describe our construction incrementally. First, we describe how to go about 
updating a CHLMR database efficiently. Then, we go on to describe how to 
provide update information that will allow proof holders to update their proofs. 
Then we give a construction with an unspecified pseudonym N and prove security 
relative to N. We then prove security in the random oracle model and discuss 
issues that arise relative to implementing the random oracle. 
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5.1 Updating a CHLMR Database 

Suppose that we wish to assign a particular value y (possibly 1) to D(x), for a 
given x, in a given CHLMR database. 

Our first goal is to efficiently compute a new commitment to a CHLMR 
database with the updated value. This is fairly easy to do, and natural. Essen- 
tially, we just change the values at the leaf we are interested in, and update 
the internal nodes of the tree to maintain the required structure. To update the 
value D(x), we regenerate the commitment c H ( x) and from this recompute the 
values and commitments in the tree going up along the path from H(x) to e, 
leaving everything else the same. Now, for every prefix u of H(x), the value v u 
may change, so the value c u may also change. The set owner then publishes c f 
anew. 

In order to make this fit all the properties of a ZK database, we must be 
careful when adding an element to the set that all its ancestors are hard com- 
mitments. Thus, when we add an element to the set that was previously not in 
the set, we must make commitments along the path hard commitments, even if 
they were previously soft commitments. In fact, we can simply make all com- 
mitments in any update hard commitments, to simplify. 

5.2 A Simple Mechanism for Updating Proofs 

Now, the updated database is a CHLMR database, just as was constructed 
before. 3 The next step is to determine what information is necessary to allow 
proof holders to update their proofs. Since a proof is essentially a hash path 
in the tree along with decommitments to the values along that path, and the 
only internal nodes or commitments that have changed are the ones along the 
path from e to H(x), we could just publish all the commitments at the updated 
internal nodes. However, this is not quite sufficient, because decommitments 
are necessary for the proofs to be complete. To solve this, we need to modify 
our mercurial commitment scheme so that it is updatable, but the requirements 
are a little more complex than the requirements for an updatable commitment. 
Specifically, we need to be able to update such that (1) the updated commitment 
is always a hard commitment, and (2) the holder of a decommitment (soft or 
hard) can update their decommitment to a new one of the same type. 

Under general assumptions, the best known mercurial commitment is only 
computationally hiding. In order to make an updatable one, we need to combine a 
mercurial commitment scheme and an updatable commitment scheme as follows. 
Instead of publishing only the mercurial commitment c, we also publish ch and 
cs where ch is an updatable commitment to the hard decommitment of c (or a 
random string if it is a soft commitment), and cs is an updatable commitment, 
initially to a random string, but after any updates, to a soft decommitment 
of c. A hard decommitment involves opening ch, while a soft decommitment 
involves opening cs, and also giving a soft decommitment to c. This means a 

3 Except, some commitments might be hard that don’t need to be hard commitments, 
but by the properties of mercurial commitments, this is an indistinguishable change. 
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verifier will notice a difference between opening an original commitment and 
opening an updated one, but this will be acceptable for our means. Updating 
the commitment (c, Ch, cs) is done by replacing c with a fresh commitment and 
updating ch and cs to be commitments to their new appropriate values. 

We can also make the MRK mercurial commitment updatable in this way, 
simply by reusing r. When we update a commitment, we always make it hard, 
so we also publish e. It is worth noting that this is not as hiding as we might 
like such a commitment to be in isolation, since (for instance) the ratio between 
j m and (g e ) m is revealed, and an unbounded adversary could learn information 
from this. This costs us perfect zero-knowledge in our construction, but under 
the DDH assumption, this is still hiding. We should also note that updating 
commitments in this way does not give a mechanism for the verifier to determine 
m', but, in our application, to' can be derived from other information. 

5.3 Attaining Zero-Knowledge with Respect to N 

Now we have a system where after an update we have a zero-knowledge database, 
and proofs can be updated. However, the updates do not preserve secrecy. The 
issue has to do with the pseudonym we use. Here, we use H ( x ) as a pseudonym. 
In order to more carefully discuss the issue of our choice of pseudonym, we 
specify this construction by describing it in terms of an unspecified pseudonym 
N(x). 

Commit(T), l k ,a): Run the database commitment algorithm but instead of using 
H( x) to define an element’s position in the tree, use N(x). 

Pro ve(.D, l fc , cr, PK, SK, x): run the database proof algorithm, looking for x at 
position N(x) to obtain tt x . 

DBUpdate(D,l k ,a,PK,SK,x,y): create a new commitment cjv(x) to vn( x ) = 
H(y). Recursively, for each ui that is a prefix of N(x), update c u to be a hard 
commitment of v w . Compute PK’ = c e , update SK’ by remembering all the 
new decommitment information, and compute U = {lj, c u } for all prefixes u> 
of N{x). 

Verify(l fc , cr, PK, a;, 7r x ): run the proof verifying algorithm to verify tt x , using 
N(x) instead of H(x), and check the value given as N(x) to be sure it is 
correct. 

PUpdate(l fc , a, PK, PK', U, x,7r x ): if U is an update about N(x), output _L. 
(Note that N(x) would be known from n x .) Otherwise, for every u> that is 
a prefix of N(x) and is included in U, we have a decommitment to the old 
c u , so we update our decommitment. For every ui that is a sibling along the 
path, we change our value of c u to the value of c u given in the update U. 
Finally, we check our updated proof, and reject if it does not yield the same 
value, otherwise we outpud ir' x , our updated proof. 

Theorem 1. This scheme is a secure zero- knowledge transparently updatable 
database with respect to N. 

Proof. Due to space constraints, we only provide a proof sketch here. A more 
detailed proof may be found in appendix C. 
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Completeness of this construction should be clear. Since the form of any 
database commitment and proof are just as in [2] except with a different scheme 
to assign database locations to database keys, soundness here follows from the 
soundness of their construction and the uniqueness of the mapping ihJV(i). 

For zero-knowledgeness we must show a simulator that has the required prop- 
erties. First of all, the simulator generates cr so that the mercurial commitment 
simulator can be used (that is, the simulator can break the binding property of 
the scheme). The simulator then generates a soft commitment c e and publishes it. 

When the simulator is asked for a proof that D(x) = y and is given x and 
N(x), it simply does exactly as the CHLMR database simulator does, except 
that the path is a path from e to N(x). When the simulator is asked to update a 
value with a given pseudonym n, it performs an update just as DBUpdate would, 
using y = e, creating c u values for each ut that is a prefix of n for which c u was 
not already determined in a proof. (Note that DBUpdate does not need to know 
x if it knows N(x).) 

The values given in the proofs issued by the system are just sequences of com- 
mitments, decommitted to the correct values, so the distribution of the proofs 
given by the simulator and those given by the real prover are indistinguishable. 
The distribution of updates is also identical except that the simulator always 
sets y = e. However, the only value that depends directly on y is Cjv( x ) which 
is a (fresh) commitment, so in fact the distribution of update strings is also 
indistinguishable. Thus, we achieve zero-knowledge. 

5.4 Attaining Security in the Random Oracle Model 

We now have a system that gives a transparently updatable zero-knowledge 
database with respect to N for an unspecified N. Unfortunately, we cannot 
simply specify N = N P and be done, because Np cannot be computed in a way 
verifiable to the user. This problem can be solved by assuming the random oracle 
model. The idea is that we use a random oracle that may be controlled by the 
simulator to compute N(x). It should be clear that a random oracle computed 
on x and a random oracle computed on N P (x) are identical. Thus, the simulator 
simulates the random oracle on input N P ( x) by evaluating a random function 
on it. By doing this, the simulator may naturally compute N(x) knowing only 
N P (x). Thus, such a simulator shows that if we use a random oracle as N( x), 
our construction is secure. 

5.5 Implementing the Random Oracle 

Using the random oracle model has significant problems. First of all, random 
oracles are generally implemented by collision-resistant hash functions, but this 
cannot always be done securely. There is also an issue of pseudonym collisions, 
which we discuss this issue in appendix D. 

Most importantly, though, we cannot simply use a public hash function here, 
because doing so would allow the adversary to query the pseudonym function, 
but it was one of our security requirements that the adversary not be able to do 
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this. Ideally, the adversary should only be able to learn if a particular update 
was about x by querying the database at x. 

The pseudonym function we propose to use is H*( x) = H(f(H(x))) where 
H is a hash function and / is a verifiable random function. We will still assume 
that H is a random oracle, but now, even if H is a random oracle, the adversary 
cannot query H*. Before we jump into the security proof for this pseudonym, 
we must modify our construction slightly, because H*(x ) cannot be computed 
by the verifier. 

— In Commit we also run GenVRF and make the public key PKf part of the 

public key, and keep SK / as part of the secret key. 

— In Prove(T), l k a, PK, SK, x), we also give ir' x = ProveVRF (SK f ,H(x)) and 

2 = ComputeVRF (SK f ,H(x)). 

— In Verify, we additionally run VerVRF(PKf, H(x), z,tt' x ) and check that 

H*(x) = H(z) before accepting. 

This fits nicely into our original specification; we are simply expanding the 
idea of what it means to check that H* (x) is correctly computed. 

Theorem 2. This construction is secure in the random oracle model. 

Proof. Again, we give only a sketch of the proof, due to space constraints. See 
appendix C for a full proof. 

Completeness is already established by our proof of Theorem 1. To prove 
soundness, we need only note that the pseudonym H*(x) that will be verified is 
unique, from the soundness property of the VRF. 

Zero-knowledge is more of a challenge. We give a simulator with respect 
to Np that gives us computational zero-knowledge. First, the simulator makes 
a and the database commitment c f just as the previous simulator does. The 
simulator then runs GenVRF to generate ( PKf,SKf ), and publishes ( PKf,c e ) 
as the database commitment. 

The simulator must answer three kinds of messages: random oracle queries, 
database queries, and update queries. The simulator maintains two random func- 
tions, H and H', with the idea that H'(Np(x)) = H(f(H(x))). When the sim- 
ulator receives an update query, it computes H*{x) = H’{N P {x)). When the 
simulator receives a database query, the simulator computes H( x), and then 
computes z = fsK s {H{x)), and then sets H(z) = H'{N P {x)) and fakes a proof 
that the value stored at H*(x) = H'(N P (x)) is y, just as the simulator does in 
theorem 1. 

The illusion that H'(Np( x)) = H (fsK f (H (x))) is maintained as long as H (z) 
is not already defined to be something else when the simulator tries to set H ( z ) = 
H'(Np(x)). However, if this happens with non-negligible probability, it must be 
because either we have found an /-collision with non-negligible probability, or 
because the adversary has queried H(z) separately. In either case, we can use 
such an adversary to break the pseudorandomness of /. Because ultimately, 
the zero-knowledge property of our scheme may be defeated by defeating the 
pseudorandomness of /, we only get computational zero-knowledge. 
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We note that if we restrict the adversary a bit further, we can actually re- 
move the random oracle assumption. Specifically, if we require that whenever 
the adversary requests an update about x, that either the adversary has already 
queried the database at x, or the adversary will never query the database about 
x, then we can prove zero-knowledge without the random oracle. We can also 
remove the random oracle if we use general NIZK proofs. We discuss this further 
in appendix E. 

6 Efficiency 

Our proposal for the mecahnics of a transparently updatable database embeds 
the idea that for each update (even of a single element) to the database, a public 
update string is published, and that for each update string that is published, 
each user updates each of their proofs. Given this syntax, our performance is 
optimal in terms of the number of updates: each update induces additional work 
for both the database owner and the user, but the amount of work per update is 
independent from the number of updates. However, the total amount of work a 
user must do to maintain a proof is linear in the number of updates. In appendix 
F we describe some minor efficiency improvements along these lines. 

7 Conclusion and Open Problems 

We have given a secure construction of a transparently updatable zero-knowledge 
database that is both efficient and practical in the random oracle model. For 
our construction to be secure, we must assume the existence of a VRF, and 
that mercurial commitments exist. The most practical construction that arises 
from this work is the extension of the original Micali-Rabin-Kilian construction, 
which requies the discrete logarithm assumption. These two assumptions can be 
combined by using the VRF of Dodis and Yampolskiy [3] , which relies on a more 
restrictive assumption than the discrete logarithm assumption. 

Some open problems that may be of interest would be to construct: 

— Zero-knowledge transparently updatable databases with stronger security or 
more general assumptions 

— More efficient and/or perfect zero- knowledge opaque updates. 

— Zero-knowledge databases the can be efficiently updated both transparently 
and opaquely. 
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Appendix A: Formal Definitions for Opaque Updates 

These definitions are closely derived from [9]. Here, we formalize the definitions 

described in section 3.2. 

Updatable Database Simulators 

Let Sim be a probabilistic polyonomial-time oracle Turing machine. We say that 

Sim is an updatable database simulator (or UDB simulator) if it computes as 

follows, relative to an external database D and pseudonym function N: 



190 M. Liskov 


1. In its first execution, Sim A outputs three strings, a, PK, and SK. 

2. In a subsequent execution on input SK and a triple (x,D(x),N(x)), 
S\m N (SK,x,D(x),N(x)) outputs a string w x . 

3. In a subsequent execution on input SK and n, Sim N (SK,n) computes 
PK' , SK' ,U where SK' becomes the new secret key, and PK' and U are 
outputs. When this happens, D may change at up to one input, namely an 
x such that N( x) = n. 


Transparently Updatable Zero-Knowledge Databases 
Let (Commit, Prove, DBUpdate, Verify, PUpdate) be a TUDB system where all the 
Turing machines in the quintuple run in probabilistic polynomial time. We say 
that (Commit, Prove, DBUpdate, Verify, PUpdate) is a zero-knowledge transpar- 
ently updatable database system (or ZKTUDB system) if there exists a UDB 
simulator Sim and a constant c such that 

1. Completeness. V database D,3u negligible such that Vfc, Vr, s, t such that 
0 <s<r<k c , 

Pr[ cr *- {0, l}* 0 ; {PK, SK) «- Commit(D, l fe , cr); 

Zl <- {0, <- {0, 1}S‘; . . . ; Xr <- {0, 1}-*; 2/r <- {0, 1}^*; X ^ {0, 

( PK ’, SK ’, U) i- DBUpdate(£>, l k , cr, PK, SK, (si,j/i)); PK *- PK'-,SK <- SK'-, 

D{x 

{PK' , SK' , U) j- DBUpdate(£>, l k , cr, PK, SK, {x s , y B ))-, PK <- PK' -,SK <- SK'-, 

D{x s ) <- y s ;7r x <- Prove(£>, l k ,a,PK, SK,x)-, 

{PK 1 , SK', U) <- DBUpdate(£>, l fc , cr, PIC, SJC, (i s+ i,9, + i));SJf <- SfC'; £>(x s+ i) <- ^4,1; 
■k x <- PUpdate(l fc , cr, PfC, PK',U, x,ir x ); PK <- PK'-, 

{PK' , SK' , U) <- DBUpdate(D, l fc , <r, Pif, SJC, {x r ,y r ))-,SK SK’-,D{x r ) f- y r -, 

-k x <- PUpdate(l fe , <7, PK,PK' ,U,x,-x x )-,PK <- PK'-, 

V^~ Verify(l fc ,<r, PK,x,n x ) : 

if a; such that s < t#^and *, = ® then if*=r_L, otherwise y = £>(*)] > 1 - i/(fc). 

Here, s is the number of updates before the proof is given, and r is the 
number of updates total. 

2. Soundness. Vx 6 {0, 1}* and VP' probabilistic polynomial time, 3v negligible 
such that Vfc, 

Pr[ <7 <— {0, l} fcC ; (PK, x, 7Ti, n 2 ) <— P / (l fe , a); 

?/i <— Verify(l fc , a, PK, x, 7Ti); t /2 <— Verify(l fc , cr, PK, x, -k 2 ) : 
reject $ {yi,y 2 } Aj/i / y 2 ] < ^(/c), 

3. Zero-knowledge with respect to N. \/A acceptable adversaries, Vfc, View(fc) « 
View^fc) 4 where 

4 As usual, w may refer to computational indistinguishability (in which case the sys- 
tem is said to be “computationally zero-knowledge”), statistical closeness (“statis- 
tical zero-knowledge”), or equality (“perfect zero-knowledge”). For computational 
indistinguishability, A must be a polynomial-time adversary. For statistical or per- 
fect indistinguishability, we do not limit A’s power. 
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View(fc) = 

ViewA{cr <— {0, l} fc ° ; (£>, s 0 ) <— A(l fc , cr); 

(PK, SK) «- Commit (D, l fc , cr); z 0 <- PK\ 

(wi, Si) <— A(s 0 , zo); 

If W! = Update(xi,yi), 

(P1C(, SK[, Ui) <- DBUpdate(£>, l fe , cr, PK, SK, cci, j/i); SK <- SiC*; PX <- Pif^; 
£>(xi) <- yi;zi «- (PK^Ui); 

Else if wi = Query(xi), 7ti <— Prove(D, l k , a, PK, SK, n); zi <— rri; 

(w 2 ,s 2 ) «- A(si,zi); 

•••} 


and 

View'll = 

ViewA{((T, PK, SK) Sim JV (l fc ); (£>, s 0 ) SK A(l fc , ct); 

*- PK; 

(wi,si) A(s 0 ,^o); 

If w\ = Update(xi, t/i), 

{PK[,SK[,lh) <- Sim^SAT, JV(*i)); SAT «- SAT(; PAT «- PAT(; 

P(a: 1 )^t/i;^i^(PPri,Pi); 

Else if m% = Query(xi), 7Ti <— Sim N (SK, xi,D(xi), N(xi)); z\ <— jq; 

(w 2 ,s 2 ) <-■ A(si,^i); 

•••} 

Appendix B: Opaquely Updatable Zero-Knowledge 
Databases 

We define opaquely updatable zero- knowledge databases, and present a solution 
following ideas from Rackoff, Ostrovsky, and Smith [11] that is inefficient and 
relies on general non-interactive zero-knowledge proofs. We do not present any 
practical, efficient method better than simply committing the updated database 
from scratch; indeed, we view this as an important open problem. 

An opaquely updatable database system (or OUDB system) is a quadruple 
of algorithms (Commit, Prove, DBUpdate, Verify) which satisfy the properties 
properties of a TUDB system, except that DBUpdate outputs only PK' , SK' . 

Zero-knowledge opaquely updatable databases are defined similarly to trans- 
parently updatable ones. Let (Commit, Prove, DBUpdate, Verify) be a UDB sys- 
tem where all the Turing machines in the quadruple run in probabilistic poly- 
nomial time. We say that (Commit, Prove, DBUpdate, Verify) is a zero-knowledge 
opaquely updatable database system (or ZKOUDB system) if there is a UDB sim- 
ulator Sim and a constant c such that the following four properties are satisfied: 

1. Perfect completeness. V database D,Vr,V sequences of updates (x\,y\), . . . , 
(x r ,y r ), and Mx € [£)] U {aq, . . . , x r }, 

Pr[ cr < {0, l} feC ; {PK, SK) «- Commit(D, l fe , cr); 

{PK', SK', U) <- DBUpdate(D, P ,<j, PK, SK, (x 1 ,y 1 ))-,PK <- PK'-,SK <- SK'-, 

D{x 

{PK' , SK' , U) -f- DBUpdate(£>, l k , cr, PK, SK, {x r , y r ))\ PK <- PK'-,SK^~ SK'-, 



192 M. Liskov 


D(x r ) <- y r ;v x <- Prove(D, T, cr, PK, SK)-, 
V^~ Ver\fy(l k , a, PK,x,n x ) : 

1/ = £>(*)] = 1- 


2. Soundness. (Commit, Prove, DBUpdate, Verify) satisfies the soundness prop- 
erty of a ZKTUDB. 

3. Zero-knowledge. (Commit, Prove, Verify) satisfies the zero-knowledge proper- 
ties of a ZK database. We actually want zero-knowledge to hold for an ad- 
versary that can adaptively ask for queries and updates, but we capture the 
difference in our definition of update secrecy. 

4. Update secrecy. For all appropriate A, View(k) fm View 7 (A;) where: 

View(fc) = 

ViewA-fcr - {0, l} feC ; (D, s 0 ) <- A(<r); (PK, SK) <- Commit(£>, \ k , cr); 

ZO^ PK;( Wl , Sl )^ A( S0 ,z 0 y, 

If t»i = Update(®i,i/i), 

(. PK',SK ') <- DBUpdate(D, l fc , cr, PK, SK, Xl , yi )-, SK « SK';PK 4- PK'; 

D(xi) <- j/i;zi «- PK'; 

Else if tui = xi.iri <- Prove(D,l' t , <7, PK, SK,xi);zi <- jtu 
( i« 2 ,a 2 )^A( ai , Zl ) ; 


View' (A;) = 

View A {<7 {0, l} fcC ; (£>, so) - A(<r); (PK, SK) <- Commit (£>, T, <r); 
zo^PK;(t«i, a i)^A( So ,zo); 

If tui = Update(xi,j/i), 

D(x i) <- (PK', SK') <- Commit(D, l fe , <r); SK -N SK'; PK <- PK'; 

Zl <- PK'; 

Else if tui = xi.Tti <- Prove(£>, l*,j,PK, SK,xi);zi in; 

(w 2 ,s 2 ) ^ A(s 1 ,z 1 ); 

...} 

Again, appropriate adversaries are polynomial-time adversaries for compu- 
tational indistinguishability, and unbounded adversaries otherwise. 


Opaquely Updatable Construction 

To create an opaquely updatable zero-knowledge database, following Rackoff, 
Ostrovsky, and Smith [11], we modify the CHLMR construction as follows. In- 
stead of sending a proof n x to the verifier, we give D(x) and a non-interactive 
zero-knowledge proof of knowledge relative to o of knowledge of n x such that 
7 t x is a valid proof. To update, we just update the values where required, but do 
not publish any of the updated values. We clearly have zero- knowledge: in order 
to simulate, we just randomly create c e initially and each time we are asked to 
update we create a new random commitment, and any time we are asked to 
give a proof, we provide a faked non-interactive zero-knowledge proof. Further- 
more, c e form a random commitment whether or not they were generated from 
DBUpdate, so we have update secrecy as well, and soundness and completeness 
follow from these same properties of CHLMR databases. 

However, such non-interactive zero-knowledge proof systems are also only 
computational zero-knowledge. In addition, much effort was taken by Micali, 
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Rabin, and Kilian to avoid both computational zero-knowledge and the need 
for general non-interactive zero-knowledge proofs. The large amount of ineffi- 
ciency added to the system may even overbalance the objection to the solution of 
recommitting the database from scratch. We consider it a significant open prob- 
lem to construct an efficient and practical opaquely updatable zero-knowledge 
databases. 


Appendix C: Detailed Proof of Security 

Proof of Theorem 1 . To prove theorem 1 , we must make a minor additional 
asusmption, and prove several things. 

First of all, note that when an update occurs, the only difference between the 
secret information in our construction and the secret information in a CHLMR 
database is that in our construction, it may be that for some internal nodes w 
which have no descendents in the tree, c u is a hard commitment rather than a 
soft one. However, that is unimportant as proofs involving such an uj as a node 
on the path will always be of nonmembership, and so only soft decommitments 
will be revealed. 

To prove completeness, note that when the database is updated, part of 
an old proof about a different element will include path elements that have 
changed. However, such path elements are always published as part of the update 
information, so they can simply be replaced. Thus, the updated proof is valid. 
The only possible snag we can run into is that if N(x ) = N(x') then an update 
about x' would prevent a proof about x from being properly updated. Barring 
this, as long as no updates have occurred about the element x since ir x was 
issued, 7r x may be updated successfully. To deal with this issue we must assume 
that N (x) is such that collisions are unlikely to occur. This is certainly the case 
for all N we use. 

To prove soundness, note that if a cheating prover were to be able to produce 
relative to a random a a public key PK and two valid proofs m and 7T2 proving 
different results about D(x) for some particular x, then this same prover would 
violate the soundness of CHLMR databases. 

To prove zero-knowledge, we describe the simulator. The simulator must do 
five things: it must create the string a, it must provide the initial commitment, 
and it must provide proofs and updates when requested. 

- To produce a, PK, or to produce a proof that D(x) = y, the simulator runs 
just as the CHLMR simulator does, except using N(x) instead of H(x) to 
determine the location of key pairs. 

— To produce an update on a pseudonym n, computes v n = H(e) and computes 
a new commitment c n . 

The simulator then updates all the commitments along the path from e to 
n from soft to hard commitments, with the proper values to maintain the 
Merkle tree structure. The simulator incorporates any new decommitment 
information into SK'. 
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Now, to prove that the view provided to the adversary in the real model is 
identical to that in the ideal model, we describe the view of the adversary. In 
the real world, the adversary sees the random string a, and then after specifying 
D, the commitment c e . Then, for each proof query, the adversary sees a proof 
about x which consists of an appropriate value v N ( x ) and random commitments 
c u to appropriate values, forming a hash authentication path to the root. For 
each update query, the adversary sees a pseudonym N(x), a new commitment at 
N(x), and for each proper prefix oj of N(x), a random updated commitment c u . 
Furthermore, in the case of the discrete logarithm-based scheme, the adversary 
also sees e for each such u>, which shows that all these commitments are hard 
commitments. 

In the ideal world, the adversary sees the simulated a, followed by a distri- 
bution exactly the same as in the real world, except that Cn( x ) is a commitment 
to H(e) rather than H(y). However, these commitments are hiding so this is 
indistinguishable from the view of the adversary in the real world. In fact, in the 
case of the discrete logarithm-based scheme, the views are identical, since the 
only difference is in what c u commits to where uj is a leaf, but c u is a perfectly 
hiding commitment. Furthermore, the distribution of real cr values is identical 
to the distribution of simulated a values by the perfect zero-knowledge property 
of the Micali-Rabin-Kilian simulator. 

Proof of Theorem 2. To prove that the construction using N(x) = 
H{fsK t {H(x))) is strongly secure, we must prove that it satisfies completeness, 
soundness, and computational zero-knowledge with respect to Np in the random 
oracle model. 

Completeness is already established by the completeness proof of Theorem 1; 
the only difference here is that a VRF proof must be verified (note that indeed, 
N(x) here is unlikely to have collisions). However, N(x) does not change when x 
is updated, so this part of the proof may remain the same. To prove soundness, 
we need only note that the pseudonym N (x) that will be verified is unique from 
the soundness property of the VRF. 

Zero- knowledge is more of a challenge. We give a simulator with respect to Np 
that gives us computational zero-knowledge. First, the simulator makes a and the 
database commitment c e just as the CHLMR simulator does. The simulator then 
runs GenVRF to generate ( PKf,SKf ), and publishes ( PKf,c e ) as the database 
commitment. We must be careful to note here that Np is not available as an 
oracle to the simulator, but Np(x) is given without x for any update query, and 
Np(x) is given with x for any database query. H'*(x) here refers to the value 
used in the construction; the actual pseudonym we are considering is N P ( x). 

The simulator maintains two random functions: H and H ' , with the idea that 
H'(N P ( x)) = H(f(H(x))). Whenever we say the simulator must “compute” 
(say) H(x), the simulator looks to see if it has ever set H(x) to any particular 
value. If so, it outputs that value. If not, it generates a random value of the correct 
length, and notes the correspondence with x. There can never be a problem with 
the simulator computing a value H(x) or H'{ x). 
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When the simulator receives an update query, it computes H'(N P (x)), and 
uses this value as H*(x). 

When the simulator receives a database query on x,y,N P (x), the simulator 
computes H(x), and then computes z = fsK f {H(x)), and then attempts to set 
H(z) = II'(N P (x)). That is, if H is not defined at z, H(z) is set to be the 
value computed from H'(N P (x)). Otherwise, if H' is not yet defined at N P (x), 
H'(N P (x)) is set to be the value computed from H(z). If H(z) and H'(N P (x)) 
are already defined and equal to each other, the simulator sets nothing. However, 
if H(z) and H'(N P (x)) are already defined and unequal, the simulator aborts. If 
the simulator does not abort, it fakes a proof that the value stored at H*(x) = 
H(z) = H'{N P {x)) is y, just as the MRK simulator does, and provides the value 
z along with ProveVRF (SKf,H(x)) that 2 = fsK f (H(x)). 

We must prove two things. First, in cases in which the simulator doesn’t 
abort, the adversary cannot distinguish between the simulator and the real 
prover. We can assume without loss of generality that the adversary will always 
make a database query about every value x that he asks us to update before he 
halts (doing so will only increase the probability that the simulator aborts). If 
the simulator hasn’t aborted by the time the adversary halts, we can reconcile 
H' into H, since all values H' (N P {x)) will have been set equal to H(z) for some 
z (because the adversary has queried all points for which we have a pseudonym). 
Thus, this simulator is doing exactly what the simulator in our previous proof 
does: it accurately computes H*(x) in every case and simulates proofs and up- 
dates according to this. Thus, the view produced by such a simulator is identical 
to the view produced by the real prover. 

Second, if the simulator aborts with non-negligible probability, we can break 
the security of the VRF as follows. On input a VRF public key PKf, we act as 
the simulator with the given adversary in this experiment, except we give PKf 
as the VRF public key instead of generating it ourselves, and we implement the 
simulator. Note that we only ever need to query fsK f right before we ask for 
a proof about it. After some number of queries, the probability that the next 
value we ask for will cause an abort is non-negligible, so instead of asking for 
fsK f {H(x)) that time, we pick a random z such that H(z) is defined, and guess 
that f SK ,(H{x)) = z. We try this with the given oracle (which is either the 
VRF or a random oracle), and if we are correct, we say that the oracle is a VRF, 
otherwise, we guess at random. If the oracle is the VRF, and an abort would have 
been caused, then we have a 1 /p(k) probability of guessing the right z, where p(k) 
is the polynomial determining how many inputs have been queried from H. Thus, 
if the probability of an abort at the given step is l/q(k), then the probability that 
we break the VRF is (1/2) (l/(p(k)q(k))) + (1/4) (1 — (l/p(k)q(k)) + 1/2(1 — v{k)) 
which is at least 1/2 + 1/(4 p(k)q(k)) — u(k) for some negligible v. 

If the probability of an abort is non-negligible, it is non-negligible at some 
particular query. Thus, there is some reduction that breaks the security of the 
VRF. 
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Appendix D: Pseudonym Collisions 

In the work of Micali, Rabin, and Kilian, the Pedersen hash function is used 
to assign pseudonyms to database elements. One attractive property of using 
the Pedersen hash function is that if a pseudonym collision occurs, the database 
owner learns the discrete logarithm of h to the base g, and then may continue 
proving what would otherwise be impossible: for instance, that D( x) = y and 
D( x') = y' ^ y when H(x) = H(x'). This allows the database to have size that 
is unrelated to any security parameters. 

If, as we propose, we replace H(x) by N(x) = H(f(H(x))) for some ver- 
ifiable random function /, we lose this property: N could encounter collisions 
either from JJ-collisions or from /-collisions. The former would be fine while the 
latter would be a problem. In practice, it is acceptable to limit honest users to 
polynomial-size databases, in which case collisions are negligibly likely. However, 
we can preserve this property through some extra effort, which has a minimal 
impact on efficiency. 

Due to space constraints, we do not give the full details of this construction. 
The basic idea is that we use a public-key cryptosystem, and include two pub- 
lic keys: one from the cryptosystem and one from a verifiable random function. 
Then, instead of computing a = f(x), we compute EpK e (x;a), that is, we en- 
crypt a under the encryption public key, using a as the randomness. A proof 
consists of a and the proof that a = f{x) was properly generated by the VRF. 
This may not be pseudorandom, but in our construction it is sufficient to have 
unpredictability of the full answer, and this construction does achieve that. 

When we use this injective verifiable unpredictable function, we get a 
pseudonym function that only has collisions when they are collisions of the hash 
function. Thus, any pseudonym collisions can be worked around. 

It is worth noting, however, that the properties of the Pedersen hash function 
are nice, yet we are assuming in our (main) security proof that the hash function 
we use is a random oracle. In our opinion, the nice properties of the Pedersen 
hash are worth having, and this will probably not cause a significant security 
problem. However, we are unwilling to assume that the Pedersen hash function 
is a random oracle. 

Appendix E: Removing the Random Oracle Assumption 

If we are willing to assume certain conditions on the adversary, we can give a con- 
struction that is secure without the random oracle assumption. The conditions 
are as follows: 

— If the adversary first inquires about x in a database query, it may in the 
future ask for more database queries about x as well as updates about x. 

— If the adversary first inquires about x in an update query, it may only ask 
for more updates about x in the future. 

It may seem at first glance that we can assume this without loss of generality: 
any successful adversary could always make more queries, and thus, make a 
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database query immediately before any update query so as to always comply 
with the conditions. The problem with this is that since the simulation is actually 
a game of three parties: the adversary, the simulator, and the functionality that 
provides pseudonyms, the simulator actually must interact with the functionality 
more than normal to handle adversaries that don’t hold to these conditions, 
which means that the simulator must learn more, which is not acceptable. It 
is important that in our simulation, the simulator not be able to get any more 
information out of the pseudonym-providing functionality than the adversary 
would. 

Given that all adversaries meet these restrictions, we remove the random 
oracle assumption as follows: Again, we use the pseudonym function H*(x) = 
H(f(H(x))). To simulate, this time without being able to control H as a random 
oracle, we do as follows: if x is a value that is first mentioned in a database query, 
we actually compute H(f(H(x))). If x is a value that is first mentioned in an 
update query, we know that the adversary will never make a database query 
about this particular x, so we compute H*( x) = H(R(N(x))) where R is a 
random function that we maintain, and where N ( x ) is the pseudonym of x. If the 
adversary can distinguish between this simulator and a real adversary then either 
the adversary managed to find an //-collision, (for example, if H(x) = H(x'), 
so the adversary could detect this simulator by making a database query on x 
and then an update query on x' , which should give the same pseudonym), or all 
inputs that should be given to / are distinct between the two types, in which 
case, the probability of distinguishing is exactly the probability of distinguishing 
the VRF from a random function. 

We should note that although the restriction on the adversary is nontrivial, 
such adversaries still represent a significant class of adversaries. What’s more, 
since we use the same construction here as in Theorem 2, we have actually proved 
security of that construction in two different ways: one, with the random oracle 
model, the other, with these restrictions on the adversary. 

However, we can remove the random oracle model without weakening our 
assumptions if we give up efficiency. Instead of using a VRF, we can simply 
commit to a key K for a PRP using a commitment that becomes part of the 
database commitment, and then use fx{H(x)) as N(x), and prove correctness of 
this using a general NIZK proof. The advantage of this is that the simulator can 
fake NIZK proofs of false theorems, so the simulator can simply pretend that 
F(Np( x)) = fx(H(x)) where F is a random function, and fake proofs when 
necessary. 

Appendix F: Efficiency Improvements 

Multi-pair Updates 

Suppose the database owner wants to update the database at n pairs simulta- 
neously. A fairly obvious method presents itself: make an update for each pair 
individually, and publish all the update information together. This saves space, 
since some updated nodes will overlap. Asymptotically, the number of nodes 
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updated becomes 0(n{k — lognjfc), which represents some savings over the one- 
at-a-time approach, which is asymptotically 0(nk 2 ). 

Multi-proof Updates 

Suppose a proof owner has n proofs and an update is issued. If two proofs overlap 
(that is, N(x) and N(x') share a common prefix), the change in the updated 
proofs for x and x ' can be computed more quickly by computing the change in 
the common portion of those two proofs together, then computing the change in 
the remaining portion of each. More generally, if a user holds n proofs, updating 
each separately would take time 0(nk 2 ), but by combining the work, this is 
reduced to time 0(n(k — log n)k). 

The analysis for both of these methods is based on the observation that an 
average case instance of n random strings will have the first log n bits in common 
with a newly chosen random string. Thus, if each string translates to a path of 
length k, the expected sum of the length of all paths is k + k — log 0 + . . . + k — 
log(n — 1) < nk — (n/2) log(n/2) = 0(n(k — logn)). The additional factor of k 
accounts for the length of the data per node. 
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Abstract. Shannon entropy is a useful and important measure in in- 
formation processing, for instance, data compression or randomness ex- 
traction, under the assumption — which can typically safely be made in 
communication theory — that a certain random experiment is indepen- 
dently repeated many times. In cryptography, however, where a system’s 
working has to be proven with respect to a malicious adversary, this 
assumption usually translates to a restriction on the latter’s knowledge 
or behavior and is generally not satisfied. An example is quantum key 
agreement, where the adversary can attack each particle sent through 
the quantum channel differently or even carry out coherent attacks, 
combining a number of particles together. In information-theoretic key 
agreement, the central functionalities of information reconciliation and 
privacy amplification have, therefore, been extensively studied in the sce- 
nario of general distributions : Partial solutions have been given, but the 
obtained bounds are arbitrarily far from tight, and a full analysis ap- 
peared to be rather involved to do. We show that, actually, the general 
case is not more difficult than the scenario of independent repetitions — in 
fact, given our new point of view, even simpler. When one analyzes the 
possible efficiency of data compression and randomness extraction in the 
case of independent repetitions, then Shannon entropy H is the answer. 
We show that H can, in these two contexts, be generalized to two very 
simple quantities — Hq and H called smooth Renyi entropies — which 
are tight bounds for data compression (hence, information reconcilia- 
tion) and randomness extraction (privacy amplification) , respectively. It 
is shown that the two new quantities, and related notions, do not only 
extend Shannon entropy in the described contexts, but they also share 
central properties of the latter such as the chain rule as well as sub- 
additivity and monotonicity. 
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1 Introduction, Motivation, and Main Results 

1.1 Unconditional Cryptographic Security and Key Agreement 

Unconditional cryptographic security does, in contrast to computational secu- 
rity, not depend on any assumption on an adversary’s computing power nor on 
the hardness of computational problems. This type of security is, therefore, not 
threatened by potential progress in algorithm design or (classical and quantum) 
computer engineering. On the other hand, cryptographic functionalities such as 
encryption, authentication, and two- or multi-party computation can generally 
not be realized in an unconditionally secure way simply from scratch. It is, there- 
fore, a natural question under what circumstances — as realistic as possible — they 
can be realized. In particular for encryption and authentication or, more specif- 
ically, secret-key agreement, this question has been studied extensively: In [23] 
and [9], unconditional secret key agreement is realized based on the existence 
of noisy channels between the legitimate partners and the adversary, whereas 
in [15], a scenario is introduced and studied where all parties have access to 
pieces of information (e.g., generated by repeated realizations of a certain ran- 
dom experiment). On the other hand, the possibility of information-theoretic 
key agreement has also been studied between parties connected not only by a 
classical, but also a quantum channel allowing for the transmission of quantum 
states [22,1]. Here, the security can be shown under the condition that the laws 
of quantum physics are correct. 

If, in a certain scenario, unconditional secret-key agreement is possible in 
principle, then it is a natural question what the maximum length of the generated 
secret key can be. To find the answer to this question has turned out to often 
reduce to analyzing two functionalities that form important building blocks of 
protocols for secret-key agreement (in any of the described settings), namely 
information reconciliation and privacy amplification. 

Information reconciliation (see, for instance [4]) means that the legitimate 
partners generate identical shared strings from (possibly only weakly) correlated 
ones by noiseless and authenticated but public communication, hereby leaking 
to the adversary only a minimal amount of information about the original and, 
hence, the resulting string. The generated common but potentially highly com- 
promised string must then be transformed into a virtually secret key by privacy 
amplification. On the technical level — but roughly speaking — , information rec- 
onciliation is error correction, whereas privacy amplification is hashing, e.g., by 
applying a universal hash function [13,2] or an extractor [16] allowing for distill- 
ing a weakly random string’s min-entropy H <*,. When these two functionalities 
are analyzed in a context where all pieces of information stem from many in- 
dependent repetitions of the same random experiment, then the analysis shows 
that the amount of information to be exchanged in optimal information reconcil- 
iation is the conditional Shannon entropy of, say, one party Alice’s information, 
given the other Bob’s; on the other hand, privacy amplification, in the same 
independent-repetitions setting, allows for extracting a string the length of which 
equals the conditional Shannon entropy of the shared string given the adversary’s 
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information. Hence, as often in information theory, Shannon entropy turns out 
to be very useful in this asymptotic model. In a (classical or quantum) crypto- 
graphic context, however, the assumption of independent repetitions typically 
corresponds to a restriction on the adversary’s behavior, and cannot realistically 
be made. It has been a common belief that in this case, the analysis of the 
described information-reconciliation and privacy-amplification protocols — and 
their combination — are quite involved and lead to rather complex (functional) 
bounds on the (operational) quantities such as the key length. It is the main 
goal of this paper to show that this is, actually, not the case. 


1.2 Information Reconciliation and Privacy Amplification 

Information reconciliation is error correction: Given that Alice and Bob 
hold random variables X and Y, respectively, Alice wants to send a minimal 
quantity of information C to Bob such that given Y and C, he can perfectly 
reconstruct X with high probability. (More generally, protocols for information 
reconciliation can use two-way communication. Such interactive protocols can 
be computationally much more efficient than one-way protocols, but do not re- 
duce the minimal amount of information to be exchanged [4].) To determine 
the minimal amount of information to be sent from Alice to Bob such that the 
latter can reconstruct Alice’s information with high probability reduces to the 
following data-compression problem. 

Question 1 . Given a distribution Pxy and e > 0, what is the minimum length 
II' nc (X\Y) of a binary string C = e(X,R), computed from X and some addi- 
tional independent randomness R, such that there exists an event £2 with proba- 
bility at least 1 — e such that given £2, X is uniquely determined by C, Y, and R! 

Privacy amplification is randomness extraction: Given that Alice and Bob 
both know X and an adversary knows Y, Alice wants to send a message R to 
Bob such that from X and R, they can compute a (generally shorter) common 
string S about which the adversary, knowing Y and R but not X, has no in- 
formation except with small probability. More specifically, privacy amplification 
deals with the following randomness-extraction problem. 

Question 2. Given a distribution Pxy and e > 0, what is the maximum length 
R| xt (X|Y) of a binary string S = f(X,R), where R is an additional random 
variable, such that there exists a uniformly distributed random variable U that 
is independent of (Y, R) together with an event £2 with probability at least 1 — e 
such that given £2, we have S = U'l 

The problems of determining H^ nc (X\Y) and R | xt (X\Y) have been studied 
by several authors. Note, first of all, that in the case where the distribution 
in question is of the form P X ^Y” = (Pxy) 71 , corresponding to n independent 
repetitions of the random experiment Pxy, we have, for e > 0, 
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HL c(gj 




= H{X\Y) . 


Interestingly, the two — a priori very different — questions have the same answer 
in this case. We will show that in general, this is not true. 

Unfortunately, the assumption that the distribution has product form is gen- 
erally unrealistic in a cryptographic context: In quantum key agreement, for 
instance, it corresponds to the assumption that the adversary attacks every par- 
ticle individually, independently, and in exactly the same way. But what if she 
does not? 

It is fair to say that the problem of optimizing privacy amplification and 
“distribution uniformizing” has been studied intensively in the general case and 
considered to be quite involved (see, for instance, [5], [6], [7], and references 
therein). It is our goal to show that this belief is, both for information reconcil- 
iation and privacy amplification, in fact unjustified. 

An example of a previous result is that H^ xt (X\Y) is bounded from be- 
low by the minimum, over all y £ y, of the so-called collision entropies or 
Renyi entropies of order 2, H 2 (X\Y = y) (see below for a precise definition) [2]. 
However, this bound is not tight: For instance, the adversary can be given addi- 
tional knowledge that increases the // 2 -entropy from her viewpoint. In fact, such 
“spoiling-knowledge” arguments do not only show that the // 2 -bound is arbitrar- 
ily far from tight, but also that the quantity /Z 2 has some very counter-intuitive 
properties that make it hard to handle. 

We define two quantities that can be computed very easily and that represent 
tight bounds on //| nc and /Z| xt , respectively. In a nutshell, we show that the 
general case is as easy as the special independent-repetitions scenario — or even 
easier when being looked at it in the right way. We also observe that, in general, 
the answers to Questions 1 and 2 above are not at all equal. 


1.3 Two New Quantities: Conditional Smooth Renyi Entropies and 
Their Significance 

For a distribution P X y and e > 0, let 1 

Z/o(*l Y) := min max log | (x : P xn \Y= y (x) > 0}| (1) 

H^XIY) := maxmlnmin(- log P x ^y =v (x)) , (2) 

where the first minimum/maximum ranges over all events fl with probability 
Pr[l?] > 1 - e. 

First, we observe that these quantities are defined with respect to P X y in a 
very simple way and are very easy to compute. Indeed, the involved optimiza- 
tion problems can easily be solved by eliminating the smallest probabilities and 

1 All logarithms in this paper are binary. Pxn{x ) is the probability that Q occurs and 
X takes the value x. 
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by cutting down the largest probabilities, respectively. On the other hand, they 
provide the answers to Questions 1 and 2 (Section 3). 

Answer to Question 1. For e i + £2 = £, we have 

H S 0 (X\ Y) < Hf nc {X\Y) < H^(X\Y) + log(l/e 2 ) . 

Answer to Question 2. For £1 + £ 2 = £, we have 

- 21og(l/£ 2 ) < tf| xt (A|F) < ^(A|F) . 

We can say that — modulo a small error term — these results provide simple 
functional representations of the important and natural operationally defined 
quantities f?| nc and . In a way, Hq (i.e., H^ nc ) and Hf# are two 

natural generalizations of Shannon entropy to a cryptographic setting with an 
adversary potentially not following any rules. In particular, both Hq and 
fall back to Shannon entropy if the distribution is of the form ( Pxy ) 71 for large 
n (Section 2.3). An example of an application of our results is the possibil- 
ity of analyzing quantum key-agreement protocols or classical protocols based 
on correlated information. For instance, our results allow for deriving a sim- 
ple tight bound on the efficiency of key agreement by one-way communication 2 
(Section 3.3). 

Hq and are special cases of smooth Renyi entropies. In Section 2.1 we give 
the general definition of conditional and unconditional smooth Renyi entropies 
of any order a, and in Section 2.2 we show that, roughly speaking, H ® is, for 
any a (^ 1), equal to either Hq (if a < 1) or Hf^ ( a > 1) up to an additive con- 
stant. Unconditional smooth Renyi entropy has been introduced in [19], applied 
in [18], and is, implicitly, widely used in the randomness-extraction literature 
(see, e.g., [21]). We will show, however, that the conditional quantities, intro- 
duced in this paper, are the ones that prove particularly useful in the context of 
cryptography. 

If we have concluded that Hq and Hf^ generalize Shannon entropy, then 
this is, in addition, true because they have similar properties (Section 2.4). 
We summarize the most important ones in a table. (Let £, £ ; ,£i, and £2 be 
nonnegative constants. The approximation holds up to log(l/(£ — £1 — 
£ 2 )).) 

Hence, all important properties of Shannon entropy also hold for the new 
quantities generalizing it. In contrast, note that the important chain rule, for 
instance, does not hold for the original, “non-smooth” Renyi entropies Ho, H 2 , 
and Hoo. In fact, this drawback is one of the reasons for the somewhat limited 
applicability of these quantities. 


2 Our results thus also apply to fuzzy extractors [10] which are technically the same as 
one-way secret-key agreement schemes (where the generation and the reproduction 
procedures correspond to the algorithms of Alice and Bob, respectively). 
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Shannon entropy H 

New entropies Hq and 

chain rule 
(Lemmas 4 and 5) 

H(X\Y) = H(XY) - II (V) 

H e + e '{XY) - Hq (T) < HS(X\Y) 
< H £ 1 {XY) - H%(Y) 

HU(XY) - Hq 2 (Y) < H^(X\Y) 
< H e + e \XY ) - R^(T) 

sub- additivity 
(Lemma 6) 

H(XY) < H{X) + H(Y) 

H e + £ ' {XY) < H%(X) + HS' (Y) 

Hlo{XY) < H e + e \x) + m'(Y) 

monotonicity 
(Lemma 7) 

H(X) < H{XY) 

m{x) < m(xY) 

H e 0 a (X) < H^XY) 


The proofs of the above properties of the new, more general, quantities 
are — just as are their definitions — in fact simpler than the corresponding proofs 
for Shannon entropy; they only apply counting arguments (instead of, for in- 
stance, the concavity of the logarithm function and Jensen’s inequality). Since, 
on the other hand, Shannon entropy is simply a special case of the new quantities 
(for many independent repetitions), we obtain simpler proofs of the correspond- 
ing properties of Shannon entropy for free. 

Note that although we state that all smooth Renyi entropies come down to 
either Hq or H^, we give general definitions and statements on for any 
a. This can be convenient in contexts in which the entropies have a natural 
significance, such as Hz in connection with two- universal hashing [2] . 


2 Smooth Renyi Entropy: Definition and Properties 


2.1 Definition 


We start by briefly reviewing the notion of smooth Renyi entropy [19] and then 
generalize it to conditional smooth Renyi entropy. 

Let X be a random variable on X with probability distribution Px- We 
denote by B £ (Px ) the set of non- negative functions Qx with domain X such 
that Qx{x) < Px(x), for any x £ X, and Ylxex Qx(x) > 1 — e. The e-smooth 
Renyi entropy of order a , for a £ (0, 1) U (1, oo) and e > 0, is defined by 3 

H e a (X) := log r„(X) , 


where 


r%(X) := 


X Qx(x) a . 

x£X 


3 The definition given here slightly differs from the original definition in [19] . However, 
it turns out that this version is more appropriate for our generalization to conditional 
smooth Renyi entropy (Definition 1). 
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For a = 0 and a = oo, smooth Renyi entropy is defined by the limit values, i.e., 
Hjj(X) := lim^o H%{X) and H^(X) := lim rt +oc H*(X). 

It follows directly from the definition that, for a < 1, 

£>£'<—> H e a {X) < H*{X) 
holds and, similarly, for a > 1, 

£>e' < — * h%{x) > xiigi) . 

Moreover, for £ = 0, smooth Renyi entropy H®(X) is equal to “conventional” 
Renyi entropy H a (X) [20]. Similarly to conditional Shannon entropy, we define 
a conditional version of smooth Renyi entropy. 

Definition 1. Let X and Y be random variables with range X and y, respec- 
tively, and joint probability distribution Pxy ■ The conditional £-smooth Renyi 
entropy of order a of X given Y, for a e (0, 1) U (1, oo) and £ > 0, is defined by 

K{X\ Y) := — ^ logr^(X\Y) 

1 — a 

where _ 

r e a (X\Y) := inf max V Q x \Y= v (x) a , 

1 QxveBHPxv) vey ££ 1 v 

and where Qx\Y= y ( x ) QxY{x,y)/ Py{v), for any x £ X and y & y (with the 
convention Qx\Y= y ( x ) = 0 if Py(v) = 0,). 4 For a = 0 and a = oo, we define 
Hq(X\Y) := lim a ^o H e a {X\Y) and H^^Y) := lim a gc H e a {X\Y). 

For a = 0 and a = oo, Definition 1 reduces to (1) and (2), respectively. Note 
that the infimum is in fact a minimum which is obtained by cutting away the 
smallest probabilities or cutting down the largest, respectively. 


2.2 Basic Properties 

We will now derive some basic properties of smooth Renyi entropy. In particular, 
we show that the smooth Renyi entropies can be split into two classes: It turns 
out that for any value a < 1, is, up to an additive constant, equal to 

H({X\Y). Similarly, H(JX\Y), for a > 1, is essentially H^(X\Y). 

For this, we need a generalization, to the smooth case, of the fact that 

a < f3 ^ H a (X) > Hp(X) (3) 

holds for any a,/? G [0, oo]. 

Lemma 1. Let X and Y be random variables. Then, for £ > 0 and for a < (3 < 
1 or 1 < a < P, 

Ha(X\Y) > Hp(X\Y) . 

4 Since Yj x Qxy{x,y) is generally smaller than Py(y), the distribution Qx\y= y {j ■= 
Qxy{-,y)/Py(y) is not necessarily normalized. 
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Proof. For any probability distribution Q c 
be rewritten as 

'E Q(*) Q 5 

xex 


X, the right hand side of (3) can 

(4) 


xex 


It is easy to verify that this inequality also holds for any (not necessarily nor- 
malized) nonnegative function Q with J2 x ex Q( x ) — 1- 

As mentioned above, the infimum in the definition of r% is actually a mini- 
mum. Hence, there exists Qxy € B s (Pxy ) such that for any y &y, 

r a(X\Y) > E Qx\Y=y(x) a 

xex 

holds. When this is combined with (4), we find 


'-yr%(X\ Y) > : JE Qx\Y=y{xY > i- f /E Qx\Y=y{xY . 


Because this holds for any y £ y, we conclude 

> ^r%X\Y) . 

The assertion now follows from the definition of smooth Renyi entropy. □ 

Lemma 2 is, in some sense, the converse of Lemma 1. Since it is a straight- 
forward generalization of a statement of [19] 5 , we omit the proof here. 

Lemma 2. Let X and Y be random variables. Then, for e > 0, s' > 0, and 
a <1, we have 

l°g(l/e') 


and for a > 1 , 


H e + e (X\Y) < H s a {X\Y ) d 


H e + e (X|y) > H e a (X\Y) - 


1 -a 


logtVe') 


When Lemmas 1 and 2 are combined, we obtain the following characterization 
of smooth Renyi entropy H^(X\Y), for a < 1, in terms of smooth Renyi entropy 
of order 0: 

H^\X\Y) - < It%{X\Y) < mX\Y) . 

Similarly, for a > 1, 

H £ + £ \X\Y) + 1 ° S ^ 1/ 'f- ) > H S JX\Y) > HUX\Y) . 
a — 1 

If £ = 0, this leads to an approximation of the (conventional) Renyi entropy 
H a , of any order a, in terms of the smooth Renyi entropies Hq and H^. For 
example, the collision entropy H 2 (X) cannot be larger than H^ 0 (X) + log(l/e) 
(whereas H 2 {X) fa 2 H 00 (X), for certain probability distributions Px)- 


8 The result of [19] corresponds to the special case where Y is a constant. 



Simple and Tight Bounds for Information Reconciliation 207 


2.3 Smooth Renyi Entropy as a Generalization of Shannon Entropy 

Interestingly, one obtains as an immediate consequence of the asymptotic 
equipartition property (AEP) (cf. [8]) that, for many independent realizations of 
a random experiment, smooth Renyi entropy is asymptotically equal to Shannon 
entropy. (Note that the same is not true at all for the usual Renyi entropies.) 

Lemma 3. Let {Xi, Yi), . . . , ( X n , Y n ) be n independent pairs of random vari- 
ables distributed according to Pxy ■ Then we have, for any a ^ 1, 

where H{X\Y) is the conditional Shannon entropy. 

For a proof as well as a more detailed (non-asymptotic) version of this state- 
ment, we refer to [12]. 


2.4 Shannon-Like Properties of Smooth Renyi Entropy 

Smooth Renyi entropy shares basic properties with Shannon entropy — this is 
in contrast to the usual Renyi entropies, which do not have these properties. 
Therefore, the smooth versions are much more natural and useful quantities in 
many contexts, as we will see. 

Chain Rule. We first prove a property corresponding to the chain rule H{X\Y) = 
H (XY) — H (Y) of Shannon entropy. More precisely, Lemmas 4 and 5 below are 
two different inequalities, which, combined, give a chain rule for smooth Renyi 
entropies of any order a. 

Lemma 4. Let X and Y be random variables and let e > 0, s' > 0, e" > 0. 
Then, for a < 1 < (3, we have 

H^"(X\Y) < {XY) - Hf(Y) + 1} log(l/ £ ) , 


and, similarly, for a > 1 > /3, 

H l+ e' + e" {x \Y) > Hi(XY) - Hf(Y ) - (q log(l/e) • 

Proof. It is easy to verify that the assertion can be rewritten as 

log r^ £ '+ £ " (W|F) < log ri {XY) + 1 =^ log rf (Y) + log(l/e) . (5) 

By the definition of r e a {XY) there exists an event with probability Pr[!?i] = 
1 — sf such that r e a {XY) = Yl x ex, y ey PxYih ( x > VY*- Similarly, one can find an 
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event J? 2 such that Pr[J? 2 ] = 1 — e" and (Y) = y2 vC y PYn 2 {y) A - Hence, the 
event £2 := £2\ fl J? 2 has probability Pr[l7] > 1 e' — e" and satisfies 

E PxYa{x,yT<ri{XY) 

xex, v ey 

as well as 

Y^Py^yf <4 {Y) • 

yey 

For any y &y, let f y := Ylxex Pxn\Y= v (x) a ■ Since inequality (5) is independent 
of the labeling of the values in y , we can assume without loss of generality that 
these are natural numbers, y — {1, . . . , n}, for n := Jl|, and that the values f y 
are arranged in increasing order, f y > fy — > y > y' . Let y £ y be the minimum 
value such that Pr[Y > y,f2] < e holds. In particular, 

Pr[Y > y, Q\= Pr[Y >y-l,Q)>s . (6) 

Let £2' be the event that Y < y holds, i.e., we have Pr[<?', £2] < e and, 
consequently, 


Pr[J 1 ' , £2] = 1 — Pr[J7] — P r[£2', £2] > 1 — e — e‘ — e" . 

Hence, since Pxnn’\Y= v (x) = 0 holds for any x 6 X and y > y, we have 
r £ + £ ' +e " {X\Y) < max E Pxnn'\Y= y (x) a < m axr y < f y . 

Therefore, it remains to be proven that 

log ^5 <log( E p xYo(x,y) a ') + _ JZT log£ ‘ 

'xex, y ey ' p \ey ' p 

(7) 

Let s := T,y=y P Y(y) a - Then, 

fy-s = E_f v -iV(»)“ < Y r vPyW' < E r y PY(y) a , (8) 

y=y v=y y= l 

where the first inequality follows from the fact that r y > r y holds for all y > y. 
When the definition of f y is inserted into inequality (8), we get 

£y<- E p xYn(x,y) a 
s xcx.ycy 

log f v < log f E p XYn(x, y) a J - log s . 

Kcx.ycy ' 


(9) 
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In order to find a bound on s, let p y := Pyo(v), P ■= , q '■= and 

7 : = i i- e -) 7 P = a and (1 — j)q = (3. We then have | + I = l and can 

apply Holder’s inequality , yielding 


V 




S(P«)“ • A E^ 
\ 2/=2/ 


E(W 7 ) P 






> E(^) 7 (^' 7 = E^ = Pr t y > y. ^] > e • 


logs > ploge - ^log^E Praiv)^ ■ 


Combining this with (9) implies (7) and, thus, concludes the proof. □ 

Lemma 5. Let X and Y be random variables and let e > 0, s' > 0. Then, for 
any a < 1, we have 

H e + e '{XY) <H s a (X\Y) + H%(Y) , 


and, similarly, for a > 1 , 

H £ a +e \XY) >H £ a (X\Y) + H%(Y) . 

Proof. Let O be an event with Pr[<7] > 1 — e such that 

m ax J2 P xn\Y= y (xr<r £ a (X\Y) . 
y xex 

Similarly, let fl' be an event with Pr[f2'] > 1 — e' such that fl' <-> Y <-> (X, fl) 
is a Markov chain and __ 

E /Vn'(y)“' < rf,(y) . 

yey 

Since Pr[f7, fl'\ > 1 — e — s' holds, we have 

r e + e '{XY)< Y, PxYoa'(x,y) a . 
xex, v ey 

The assertion thus follows from 

E PxYSm'(x,y) a = E PYQ'{y) 0l PxQ\Y=y{x)°‘ 
xex, v ey x&x, v ey 

< ( E p YO'(y) ) (max E p xn\Y=y(x ) a ] . □ 

' yey ' xex ' 
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It is easy to see that the statements of Lemma 4 and Lemma 5 still hold if 
all entropies are conditioned on an additional random variable Z. For example, 
the statement of Lemma 5 then reads, for a < 1, 

H £ + £ '{XY\Z) - H^(Y\Z) < H e a {X\YZ) (10) 

and for a > 1, 

H £ a +£ '{XY\Z) - Ili(Y\Z) > H £ a (X\YZ) . (11) 

Sub-additivity. The Shannon entropy H(XY) of a pair of random variables 
X and Y cannot be larger than the sum H(X') + H(Y'). The following statement 
generalizes this sub-additivity property to smooth Renyi entropy. The proof of 
this statement is straightforward and, in fact, very similar to the (simple) proof 
of Lemma 5. 

Lemma 6. Let X and Y be random variables and let e > 0. Then, for any 
a < 1, 

H £ + e \XY ) < H £ a (X) + H £ q{Y) 
holds. Similarly, for a > 1, we have 

H £ a {XY) < H £ + £ \X) + H £ q{Y) . 


Monotonicity. The uncertainty on a pair of random variables X and Y cannot 
be smaller than the uncertainty on X alone. This is formalized by the following 
lemma. The proof is again similar to Lemma 5. 

Lemma 7. Let X and Y be random variables and let e > 0. Then, for a / 1 . 
we have 

H £ a (X) < H £ a (XY) . 


In particular, the smooth Renyi entropy does not increase when a function 
is applied: 


H £ a (f(X)) < H £ a (X ) . 


(12) 


Independence, Conditional Independence, and Markov Chains. Con- 
ditioning on independent randomness cannot have any effect on the entropy. 

Lemma 8. Let X and Y be independent random variables and let e > 0, e' > 0. 
Then, for any a ^ 1, we have 

H £ a {X\Y) = H £ a {X) . 

This statement can be generalized to random variables X, Y, and Z such 
that X <-> Z <-> Y is a Markov chain: 


H £ a (X\YZ) = H £ a (X\Z) . 
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When this is combined with inequalities (10) and (11), we obtain, for a < 1, 
H e a +e '(XY\Z) <H e a {X\Z) + H S „(Y\Z) 

and, for a > 1, 

H e + e '{XY\Z) > H E a (X\Z) + Hl(Y\Z) . 


3 Smooth Renyi Entropy in Cryptography 

3.1 Randomness Extraction and Privacy Amplification 

The problem of extracting uniform randomness from a non-uniform source has 
first been studied in [3,13], and later been defined explicitly in [16]. Today, ran- 
domness extraction is a well-known and widely-used concept in theoretical com- 
puter science and, in particular, cryptography. A (strong) extractor is a function 
/ which takes as input a random variable X and some additional uniformly dis- 
tributed randomness R and is such that if X satisfies a certain entropy condition, 
the output S := f(X, R) is almost independent of R and uniformly distributed. 

For two random variables Z and W with joint distribution Pzwi we define 
the distance from uniform by d{Z\W) := \8{Pzw,Pu x Pw) where Pu is the 
uniform distribution on the range of Z and where <$(•,•) denotes the statistical 
distance. 6 

Definition 2. A strong (r, k , e)-extractor on a set X is a function with domain 
X x 1Z (for a set 1Z) and range U of size \ U\ = 2 T such that, for any random 
variable X on X satisfying H 00 (X ) > k and R uniformly distributed over 1Z, 
d(f(X, R)\R) < e holds. 

The following result has originally been proven in [13] based on two-universal 
hashing (where the randomness R is used to select a function from a two- 
universal 7 class of functions.). Later, similar statements have been shown in [2] 
and [11]. 8 

Lemma 9 (Leftover hash lemma). For any n > t, there exists a strong 
(r, k, 2~ ( ' K ~ T ^ 2 )- extractor. 

The following measure is closely related to smooth entropy as defined in [7] 
and [5]. For a distribution Pxy, it quantifies the amount of uniform randomness, 
conditioned on Y, which can be extracted from X. 


6 The statistical distance between two probability distributions P and Q is defined by 
8(P,Q)-.= hJ2 v \P(v)-Q(v)\. 

7 A two-universal class of functions from Z to W is a family T of functions f '■ Z i— > W 
such that for any z z ' an< f for / chosen at random from T Pr[/(«) = /(«')] < 

8 For a simple proof of Lemma 9, see, e.g., [14], p. 20. 
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Definition 3. Let X and Y be random variables and lete> 0. The e -extractable 
randomness of X conditioned on Y is 

Hext(X\Y) := max log \U\ , 
u--fcn XY (x >u) 

where — ► W) denotes the set of functions f from X x 1Z (for some set 

1Z) to U such that d(f(X, R)\YR) < e holds, for R independent of (X, Y) and 
uniformly distributed on 1Z. 

As mentioned in the introduction, smooth Renyi entropy equals the amount 
of extractable uniform randomness, up to some small additive constant. Here, 
the lower bound follows directly from the leftover hash lemma and the definition 
of H^. The upper bound, on the other hand, is a special case of the bound on 
one-way key agreement derived in Section 3.3. 

Theorem 1. Let X and Y be random variables and let e > 0, s' > 0. Then we 
have 

H^(X\Y) - 21og(l/ £ ') < H £ + £ '{X\Y) < H £ + £ '{X\Y) . 

Using Lemma 2, we can, in particular, conclude that Renyi entropy of order 
a, for any a > 1, is a lower bound on the number of uniform random bits that 
can be extracted, i.e., 

H a (X\Y) - l0g(1/g) - 21og(l/e / ) < H £ + £ '{X\Y) . 
a — 1 


3.2 Data Compression, Error Correction, and Information 
Reconciliation 

Another fundamental property of a probability distribution P is the minimum 
length of an encoding C = E(X) of a random variable X with F’x = P such 
that X can be retrieved from C with high probability. (A similar quantity can 
be defined for a set V of probability distributions.) As a motivating example, 
consider the following setting known as information reconciliation [4]. 9 An entity 
(Alice) holds a value X which she wants to transmit to another (Bob), using r 
bits of communication C. Clearly the minimum number r of bits needed depends 
on the initial knowledge of Bob, which might be specified by some additional 
random variable Y (not necessarily known to Alice). From Bob’s point of view, 
the random variable X is thus initially distributed according to Px\Y= y for some 
y &y. Consequently, in order to guarantee that Bob can reconstruct the value of 
X with high probability, the error correcting information C sent by Alice must 
be useful for most of the distributions P x \y= v - 

For the following, note that any probabilistic encoding function E corre- 
sponds to a deterministic function e taking as input some additional randomness 
R, i.e., E(X) = e(X,R). 

9 In certain cryptographic applications, (one-way) information reconciliation schemes 
are also called secure sketches [10] (where Bob’s procedure is the recovery function). 
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Definition 4. A (r, k , e) -encoding on a set X is a pair of functions (e, g) to- 
gether with a random variable R with range 1Z where e, the encoding function, is 
a mapping from X xlZ to C, for some set C of size \C\ = 2 T , and g, the decoding 
function, is a mapping from C x 1Z to X such that, for any random variable X 
with range X satisfying Ho(X ) < k, Pr[<?(e(X, R), R) ^ X] < e holds. 

The following result has originally been shown in the context of information 
reconciliation [4]. 

Lemma 10. For any r > k, there exists a (r, k, encoding. 

For a distribution Pxy, the measure defined below quantifies the minimum 
length of an encoding C = e(X, R) of X such that X can be reconstructed from 
C, Y, and R (with high probability). 

Definition 5. Let X and Y be random variables and let e > 0. The £ -encoding 
length of X given Y is 


HLc(X\Y) 


log \C\ 


where A £ xy (X — > C) denotes the set of function e from X x 1Z (for some set 1Z) 
to C such that there exists a decoding function g from y xC xlZ to X such that 
Pr[g(y, e(X, R), R) ^ X] < e holds, for R independent of (X, Y) and uniformly 
distributed on 1Z. 


Similarly to the amount of extractable randomness, smooth Renyi entropy 
can also be used to characterize the minimum encoding length. 

Theorem 2. Let X and Y be random variables and let e > 0, e' > 0. Then we 
have 

Hq +£ ' (X\Y) < Ht+f'{X\Y) < H e 0 {X\Y) + log(l/ £ ') . 


3.3 A Tight Bound for Key Agreement by One-Way Communication 

As an application of Theorems 1 and 2, we prove tight bounds on the maximum 
length of a secret key that can be generated from partially secret and weakly 
correlated randomness by one-way communication. 

Let X, Y, and Z be random variables. For e > 0, define 

M £ {X-Y\Z):= sup H^(U\ZV) - H%(U\YV) . (13) 

V^U^X^{Y,Z) 

Note that this is equivalent to 10 

M £ (X-Y\Z)= sup H^(U\ZV) - H^(U\YV) . (14) 

(U,V)^X^(Y,Z) 

10 To see that the measure defined by (14) is not larger than the measure defined 
by (13), observe that the entropies on the right-hand side of (14) do not change 
when the random variable U is replaced by U' := {U, V). This random variable U' 
then satisfies V U' <-*• A <-> (Y, Z) . 
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Consider now a setting where two parties, Alice and Bob, hold information 
X and Y, respectively, while the knowledge of an adversary Eve is given by Z. 
Additionally, they are connected by a public but authenticated one-way commu- 
nication channel from Alice to Bob, and their goal is to generate an e-secure key 
pair (Sa, Sb). Let .S'" (A — > Y \ \ Z) be the maximum length of an e-secure key that 
can be generated in this situation. Here, e-secure means that, except with prob- 
ability e, Alice and Bob’s keys are equal to a perfect key which is uniformly dis- 
tributed and independent of Eve’s information. Note that, if PrfSA ^ Sb] < £1 
and <1(Sa\W) < ea, where W summarizes Eve’s knowledge after the protocol 
execution, then the pair (Sa, Sb) is e-secure, for e = ei + e 2 . 

Theorem 3. Let X, Y, and Z be random variables. Then, for e > 0 and s' = 
0(e), we have 

M e '(X-Y\Z) - 0(log(l/e')) < S e (X -> Y\\Z) < M £ (X-Y\Z ) . 

Proof. We first show that the measure M £ (X;Y\Z) is a lower bound on the 
number of e-secure bits that can be generated. To see this, consider the following 
simple three-step protocol. 

1. Pre-processing: Alice computes U and V from X. She sends V to Bob and 
keeps U. 

2. Information reconciliation: Alice sends error-correcting information to Bob. 
Bob uses this information together with Y and V to compute a guess U of 
U. 

3. Privacy amplification: Alice chooses a hash function F and sends a descrip- 
tion of F to Bob. Alice and Bob then compute Sa '■= F(U) and Sb '■= F(U), 
respectively. 

It follows immediately from the analysis of information reconciliation and 
privacy amplification that the parameters of the protocol (i.e., the amount of 
error correcting information and the size of the final keys) can be chosen such 
that the final keys have length M £ (X: Y\Z) and the key pair ( Sa,Sb ) is in- 
secure, 

On the other hand, it is easy to see that any measure M e (X;Y\Z) is an 
upper bound on the amount of key bits that can be generated if the following 
conditions, which imply that the quantity cannot increase during the execution 
of any protocol, are satisfied: 

1. M £ (X ; Y\Z) > M £ (X'- Y\Z) for any X' computed from X. 

2. M £ (X; Y\Z) > M £ (X ; Y'\Z) for any Y' computed from Y. 

3. M £ (X- Y\Z) > M £ (X; YC\ZC) for any C computed from X. 

4. M £ (X ■ Y\Z) < M £ (X- Y\Z') for any Z' computed from Z. 

5. M £ (Sa\ Sb | W) > n if the pair (Sa, Sb) is s-secure with respect to an ad- 
versary knowing W. 

The measure M £ (X: Y\Z) defined by (13) does in fact satisfy these properties. It 
is thus an upper bound on the length of an e-secure key which can be generated 
by Alice and Bob. 
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Property 1 holds since any pair of random variables U and V that can be 
computed from X' can also be computed from X. 

Property 2 follows from Hq(A\BC) < Hq(A\B). 

Property 3 holds since M e (X\ YC\ZC) can be written as the supremum over 
XJ and V' of H^ 0 (U\ZV’) — H^{U\YV’), where V is restricted to values of 
the form V' = (V, C). 

Property 4 follows from Hf c (A\BC) < H^(A\B). 

Property 5 follows from \J e (S A : S B \Z ) > H^(S A \Z)-H^(S A \S B ), H^(S a \Z) > 
n, and H^(S A \S B ) = 0. 

□ 


4 Concluding Remarks 

We have analyzed data compression and randomness extraction in the crypto- 
graphic scenario where the assumption, usually made in classical information and 
communication theory, that the pieces of information stem from a large number 
of repetitions of a random experiment, has to be dropped. We have shown that 
Shannon entropy — the key quantity in independent-repetitions settings — then 
generalizes, depending on the context, to two different entropy measures Hq and 
H^. These new quantities, which are tight bounds on the optimal length of the 
compressed data and of the extracted random string, respectively, are very sim- 
ple — in fact, simpler than Shannon information. Indeed, they can be computed 
from the distribution simply by leaving away the smallest probabilities or cut- 
ting down the largest ones, respectively. Moreover, the new quantities share all 
central properties of Shannon entropy. 

An application of our results is the possibility of a simple yet general and tight 
analysis of protocols for quantum (see, e.g., [17]) and classical key agreement, 
where no assumption on an adversary’s behavior has to be made. For instance, we 
give a simple tight bound for the possibility and efficiency of secret-key agreement 
by one-way communication. 

It is conceivable that the new quantities have further applications in cryp- 
tography and in communication and information theory in general. We suggest 
as an open problem to find such contexts and applications. 
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Abstract. We consider the problem of hiding sender and receiver of 
classical and quantum bits (qubits), even if all physical transmissions 
can be monitored. We present a quantum protocol for sending and re- 
ceiving classical bits anonymously, which is completely traceless: it suc- 
cessfully prevents later reconstruction of the sender. We show that this 
is not possible classically. It appears that entangled quantum states are 
uniquely suited for traceless anonymous transmissions. We then extend 
this protocol to send and receive qubits anonymously. In the process we 
introduce a new primitive called anonymous entanglement, which may 
be useful in other contexts as well. 


1 Introduction 

In most cryptographic applications, we are interested in ensuring the secrecy of 
data. Sender and receiver know each other, but are trying to protect their data 
exchange from prying eyes. Anonymity, however, is the secrecy of identity. Prim- 
itives to hide the sender and receiver of a transmission have received considerable 
attention in classical computing. Such primitives allow any member of a group to 
send and receive data anonymously, even if all transmissions can be monitored. 
They play an important role in protocols for electronic auctions [32], voting 
protocols and sending anonymous email [10]. Other applications allow users to 
access the Internet without revealing their own identity [30], [14] or, in com- 
bination with private information retrieval, provide anonymous publishing [15]. 
Finally, an anonymous channel which is completely immune to any active at- 
tacks, would be a powerful primitive. It has been shown how two parties can use 
such a channel to perform key-exchange [1]. 
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1.1 Previous Work 

A considerable number of classical schemes have been suggested for anonymous 
transmissions. An unconditionally secure classical protocol was introduced by 
Chaum [11] in the context of the Dining Cryptographers Problem. Since this 
protocol served as an inspiration for this paper, we briefly review it here. A group 
of cryptographers is assembled in their favorite restaurant. They have already 
made arrangements with the waiter to pay anonymously, however they are rather 
anxious to learn whether one of them is paying the bill, or whether perhaps an 
outside party such as the NSA acts as their benefactor. To resolve this question, 
they all secretly flip a coin with each of their neighbours behind the menu and 
add the outcomes modulo two. If one of them paid, he inverts the outcome of the 
sum. They all loudly announce the result of their computation at the table. All 
players can now compute the total sum of all announcements which equals zero if 
and only if the NSA pays. This protocol thus allows anonymous transmission of 
one bit indicating payment. A network based on this protocol is also referred to as 
a DC-net. Small scale practical implementations of this protocol are known [23]. 
Boykin [7] considered a quantum protocol to send classical information anony- 
mously where the players distribute and test pairwise shared EPR pairs, which 
they then use to obtain key bits. His protocol is secure in the presence of noise 
or attacks on the quantum channel. Other anonymity related work was done by 
Miiller-Quade and Imai [25] in the form of anonymous oblivious transfer. 

In practice, two other approaches are used, which do not aim for uncondi- 
tional security: First, there are protocols which employ a trusted third party. 
This takes the form of a trusted proxy server [3] , [22] , forwarding messages while 
masking the identity of the original sender. Secondly, there are computationally 
secure protocols using a chain of forwarding servers. Most notably, these are 
protocols based on so-called mixing techniques introduced by Chaum [10], such 
as Webmixes [6] and ISDN-Mixes [27]. Here messages are passed through a num- 
ber of proxies which reorder the messages; hence the name MixNet. The goal of 
this reordering is to ensure an observer cannot match in- and outgoing messages 
and thus cannot track specific messages on their way through the network. Pub- 
lic Key Encryption is then used between the user and the different forwarding 
servers to hide the contents of a message. Several implemented systems, such as 
Mixmaster [24], PipeNet [14], Onion Routing [33] and Tor [16,35] employ layered 
encryption: the user successively encrypts the message with the public keys of 
all forwarding servers in the chain. Each server then “peels off” one layer, by de- 
crypting the received data with its own secret key, to determine the next hop to 
pass the message to. The Crowds [30] system takes another approach. Here each 
player acts as a forwarding server himself. He either sends the message directly to 
the destination, or passes it on to another forwarding server with a certain prob- 
ability. The aim is to make any sender within the group appear equally probable 
for an observer. Various other protocols using forwarding techniques are known. 
Since our focus lies on unconditionally secure protocols, we restrict ourselves to 
this brief introduction. More information can be found in the papers by Goldberg 
and Wagner [19], [18] and in the PhD thesis of Martin [23-Chapter 2 and 3]. 
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Note that a DC-net computes the parity of the players inputs. Sending classi- 
cal information anonymously can thus be achieved using secure multi-party com- 
putation which has received considerable attention classically [20], [12]. Quantum 
secure multi-party computation has been considered for the case that the play- 
ers hold quantum inputs and each player receives part of the output [13]. Our 
protocol for sending qubits anonymously does not form an instance of general 
quantum secure multi-party computation, as we only require the receiver to ob- 
tain the qubit sent. Other players do not share part of this state. Instead, the 
receiver of the state should remain hidden. 


1.2 Contribution 

Here we introduce quantum protocols to send and receive classical and quantum 
bits anonymously. We first consider a protocol that allows n players to send and re- 
ceive one bit of classical information anonymously using one shared entangled state 
\&) = (|O) 0 "+|l} 0n )/v / 2andnusesofabroadcast channel. Given these resources, 
the protocol is secure against collusions of up to n— 2 players: the collaborators can- 
not learn anything more by working together and pooling their resources. 

The most notable property of our protocol for anonymous transmissions of 
classical data is that it is traceless as defined in Section 2.1. This is related to the 
notion of incoercibility in secure- multi party protocols [9]. Informally, a protocol 
is incoercible, if a player cannot be forced to reveal his true input at the end of the 
protocol. When forced to give up his input, output and randomness used during 
the course of the protocol, a player is able to generate fake input and randomness 
instead, that is consistent with the public transcript of communication. He can 
thus always deny his original input. This is of particular interest in secret voting 
to prevent vote-buying. Other examples include computation in the presence of 
an authority, such as the mafia, an employer or the government, that may turn 
coercive at a later point in time. In our case, incoercibility means that a player 
can always deny having sent. A protocol that is traceless, is also incoercible. 
However, a traceless protocol does not even require the player to generate any 
fake randomness. A sender can freely supply a fake input along with the true 
randomness used during the protocol without giving away his identity, i.e. his 
role as a sender during the protocol. This can be of interest in the case that the 
sender has no control over which randomness to give away. Imagine for example 
a burglar sneaking in at night to obtain a hard disk containing all randomness 
or the sudden seizure of a voting machine. As we show, the property traceless of 
our protocol contrasts with all classical protocols and provides another example 
of a property that cannot be achieved classically. The protocols suggested in [7] 
are not traceless, can, however, be modified to exhibit this property. 

Clearly, in 2005 the group of dinner guests is no longer content to send only 
classical bits, but would also like to send qubits anonymously. We first use our 
protocol to allow two anonymous parties to establish a shared EPR pair. Finally, 
we use this form of anonymous entanglement to hide the sender and receiver of 
an arbitrary qubit. These protocols use the same resource of shared entangled 
states |<P) and a broadcast channel. 
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1.3 Outline 

Section 2 states the resources used in the protocol, necessary definitions and 
a description of the model. In Section 2.2 we derive limitations on classical 
protocols. Section 3.2 then presents a quantum protocol for sending classical bits 
anonymously. Section 3.4 deals with the case of sending qubits anonymously and 
defines the notion of anonymous entanglement. Multiple simultaneous senders 
are considered in Section 4. 

2 Preliminaries 

2.1 Definitions and Model 

We will consider protocols among a set of n players who are consecutively num- 
bered. The players may assume a distinct role in a particular run of the protocol. 
In particular, some players might be senders and others receivers of data items. 
In our case, a data item d will be a single bit or a qubit. We use the verb send to 
denote transmission of a data item via the anonymous channel and transmit to 
denote transmission of a message (here classical bits) via the underlying classical 
message passing network 1 or via the broadcast channel given in Definition 3. 

Anonymity is the secrecy of identity. Looking at data transmissions in par- 
ticular, this means that a sender stays anonymous, if no one can determine his 
identity within the set of possible senders. In particular, the receiver himself 
should not learn the sender’s identity either. Likewise, we define anonymity for 
the receiver. In all cases that we consider below, the possible set of senders coin- 
cides with the possible set of receivers. The goal of an adversary is to determine 
the identity of the sender and/or receiver. To this end he can choose to corrupt 
one or more players: this means he can take complete control over such players 
and their actions. Here, we only consider a non-adaptive adversary, who chooses 
the set of players to corrupt before the start of the protocol. In addition, the 
adversary is allowed to monitor all physical transmissions: he can follow the path 
of all messages, reading them as desired. Contrary to established literature, we 
here give the adversary one extra ability: After completion of the protocol, the 
adversary may hijack any number of players. This means that he can break into 
the system of a hijacked player and learn all randomness this player used during 
the protocol. However, he does not learn the data item d or the role this player 
played during the protocol. In a DC-net, for example, the randomness are the 
coin flips performed between two players. The adversary may then try to use 
this additional information to determine the identity of the sender and/or re- 
ceiver. We return to the concept of hijacking in Section 2.1. In this paper, we are 
only interested in unconditional security and thus consider an unbounded adver- 
sary. We call a player malicious if he is corrupted by the adversary. A malicious 
player may deviate from the protocol by sending alternate messages. We call a 
player honest, if he is not corrupted and follows the protocol. If t > 1 players 
are corrupted, we also speak of a collusion of t players. 

1 A network of pairwise communication channels between the players. 
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Let V denote the set of all players. Without loss of generality, a protocol 
is a sequence of k rounds, where in each round the players, one after another, 
transmit one message. We use Cj m to denote the message transmitted by player 
m in round j. The total communication during the protocol is thus given by 
the sequence C = {cj m } of nk messages. Note that we do not indicate 
the receiver of the messages. At the beginning of the protocol, the players may 
have access to private randomness and shared randomness among all players, or a 
subset of players. In addition, each player may generate local private randomness 
during the course of the protocol. We use gj m to denote the random string held 
by player to in round j. A player cannot later delete g ]m . Let G rn = {gj m }j=i 
be the combined randomness held by player to. Similarly, we use G = {G rn }'" n=l 
to denote the combined randomness held by all players. Note that the data item 
d player to wants to send and his role in the protocol (sender /receiver/none) 
are excluded from G m . In the following definitions, we exclude the trivial case 
where the sender or receiver are known beforehand, and where the sender is 
simultaneously the receiver. 

It is intuitive that a protocol preserves the anonymity of a sender, if the 
communication does not change the a priori uncertainty about the identity of 
the sender. Formally: 

Definition 1. A k-round protocol P allows a sender s to be anonymous, if for 
the adversary who corrupts t < n — 2 players 

maxProb[S = s\G\C] = maxProb[S = a] = 

where the first maximum is taken over all random variables S which depend 
only on the sequence of all messages, C, and on the set of randomness held by 
the corrupted players, G* = { G m } me E ■ Here, E c F\{s} is the set of players 
corrupted by the adversary; to exclude the trivial case where the sender s himself 
is corrupted by the adversary. A protocol P that allows a sender to be anonymous 
achieves sender anonymity. 

Similarly, we define the anonymity of a receiver: 

Definition 2. A k-round protocol P allows a receiver r to be anonymous, if for 
the adversary who corrupts t < n — 2 players 

maxProb [R = r\ G\ C] = maxProb [R = r] = -L. 

where the first maximum is taken over all random variables R which depend only 
on the sequence of all messages, C, and on the set of randomness held by the 
corrupted players, G 4 = {G m } me E- Here, E c y\{r} is the set of players cor- 
rupted by the adversary; to exclude the trivial case where the receiver r himself is 
corrupted by the adversary. A protocol P that permits a receiver to be anonymous 
achieves receiver anonymity. 
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Note that protocols to hide the sender and receiver may not protect the data 
item sent. In particular there could be more players receiving the data item, 
even though there is only one receiver, which is determined before the protocol 
starts. The definition implies that the data sent via the protocol does not carry 
any compromising information itself. 

All known protocols for sender and receiver anonymity achieving information 
theoretic security need a reliable broadcast channel [17]. We will also make use 
of this primitive: 

Definition 3 (FGMR [17]). A protocol among n players such that one distinct 
player s (the sender) holds an input value x s £ L (for some finite domain L) 
and all players eventually decide on an output value in L is said to achieve 
broadcast (or Byzantine Agreement ) if the protocol guarantees that all honest 
players decide on the same output value y € L, and that y = x s whenever the 
sender is honest. 

Informally, we say that a protocol is traceless, if it remains secure even if 
we make all resources available to an adversary at the end of the protocol. 
Consider for example the DC-net protocol discussed earlier. Imagine a curious 
burglar sneaking into the restaurant at night to gather all coin flips our group 
of cryptographers performed earlier on from the tapes of the security cameras. 
A protocol is traceless, if it can withstand this form of attack. 

We model this type of attack by granting the adversary one additional ability. 
After completion of the protocol, we allow the adversary to hijack any number 
of players. If an adversary hijacks player to, he breaks into the system and learns 
all randomness G m used by this player. In this paper, we allow the adversary 
to hijack all players after completion of the protocol. The adversary then learns 
all randomness used by the players, G. Nevertheless, we want him to remain 
ignorant about the identity of the sender and receiver. Formally, 

Definition 4. A k-round protocol P with sender s which achieves sender anon- 
ymity is sender traceless, if for the adversary who corrupts any t < n— 2 players 
and, after completion of the protocol, hijacks all players 

maxProb[S = s\G, C] = maxProb[S = a] = ^ 

where the first maximum is taken over all random variables S which depend only 
on the sequence of all messages, C, and on the set of randomness held by all 
players, G. 

Likewise, change of sender s with receiver r, we define the property traceless 
for receiver anonymous protocols. Recall that G and C do not contain the data 
item d that was sent or the roles the players assumed during the course of the 
protocol. 


2.2 Limitations on Traceless Protocols 

Intuitively, we cannot hope to construct a classical protocol which is traceless 
and at the same time allows the receiver to learn what was sent: The only way 
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data d can be send classically is by transmitting messages over the underlying 
network. If, however, an adversary has all information except the player’s input 
and all communication is public, he can simply check the messages transmitted 
by each player to see if they “contain” d. 

Theorem 1. Let P be a classical protocol with one sender and one receiver such 
that for all data items d £ D with \D\ > 2 the following holds: the sender of d 
stays anonymous and the receiver knows d at the end of the protocol. Then P is 
not sender traceless. 

Proof. Let us assume by contradiction that the protocol is traceless. Without 
loss of generality, a player who is not the sender has input do £ D to the protocol. 
Let d £ D be the data item that the sender s wants to send. We assume that 
all but one players are honest during the run of the protocol. We would like to 
emphasize that the only information that is not written down, is in fact the data 
item d of the sender. 

The adversary corrupts one player. After completion of the protocol, he hi- 
jacks all players. He thus has access to all randomness and communication. Since 
a traceless protocol must resist the corruption of any player, it must also resist 
the corruption of the receiver. We therefore assume for the remainder of the 
proof that the adversary corrupts the receiver. 

Let us consider step j in the protocol, where player to has total information 
g rm and sends communication c lm . Note that c ]rn may only depend on the pre- 
vious communication, gj m , j, the number to and the role of the player to, i.e. 
whether to is sender, receiver or neither of them. If to = s, then the communica- 
tion may also depend on d. Since the adversary has corrupted the receiver, and 
since there is only one receiver, the adversary knows that to is either a normal 
player or the sender. Note that since the adversary corrupted the receiver, he 
also knows the value of d. 

After the protocol, the adversary, having access to G and C, can now calculate 
the messages that player to should have sent in round j depending on whether 

1. to was not sender or receiver, or, 

2. to was the sender and sent item d. 

The messages are calculated as follows: In case 1, the adversary simulates 
the actions of player to as if to was neither sender nor receiver. This is possible, 
since the adversary has access to all randomness and all communication. In case 
2, the adversary simulates the actions of to as if to was the sender and sent 
data item d. Let {fj m }j,{fj m }j denote the set of messages resulting from the 
simulations of cases 1 and 2 respectively. The adversary now checks whether 
the set of observed messages {cj m }j = {fj m }j or {cj m }j = {fj m }j- If the first 
equality holds he concludes that s ^ to, and for the second that s = to. 

By assumption, the protocol is traceless for all d. Thus, the message computed 
for case 2) must be identical to the message computed for case 1) for all d, since 
otherwise the adversary could determine the sender s. This must hold for all 
steps j. But in this case the strategy the sender follows must be the same for 
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both d = do and d ^ do- Hence it cannot have been possible for r to have 
obtained the value of d in the first place and we have a contradiction to the 
assumption that the protocol achieves a transfer for all elements of a set D with 
|D|>2. □ 

Note that we make the assumption that there is exactly one receiver which is 
determined before the start of the protocol. Other players might still obtain 
the data item, as this is not a statement about the security of the message but 
merely about anonymity. 

2.3 Limitations on Shared Randomness 

In this section, we take a look at how many privately shared random bits are 
needed in order to perform anonymous transmissions. We thereby only consider 
unconditionally secure classical protocols based on privately shared random bits, 
such as for example the DC-net. In the following, we will view the players as 
nodes in an undirected graph. The notions of “nodes in a key-sharing graph” 
and “players” are used interchangeably. Similarly, edges, keys and private shared 
random bits are the same. Again, regard the broadcast channel as an abstract 
resource. 

Definition 5. The undirected graph G = (V. E) is called the key-sharing graph 
if each node in V represents exactly one of the players and there is an edge 
between two nodes i and j if and only if i and j share one bit of key rij . 

We first note that for any protocol P that achieves sender anonymity, where 
the only resource used by the n participating players is pairwise shared keys, a 
broadcast channel and public communication, the form of the key-sharing graph 
G = ( V , E) is important: 

Lemma 1. In any protocol P to achieve sender anonymity among n players, 
where the only resource available to the players is pairwise shared keys, a broad- 
cast channel and public communication, a collusion of t players can break the 
sender’s anonymity, if the corresponding collection oft nodes partitions the key- 
sharing graph G = ( V, E) . 

Proof, t colluding nodes divide the key-sharing graph into s disjoint sets of nodes 
{/Si, . . . , S's}. Note that there is no edge connecting any of these sets, thus these 
sets do not share any keys. Now suppose that sender anonymity is still possible. 
Let ki £ Si and kj £ Sj with i j be two nodes in different parts of the graph. 
Using a protocol achieving sender anonymity it is now possible to establish a 
secret bit between ki and kj [1]: Nodes i and j each generate n random bits: 
rj, . . . , r” and rj, . . . , r". Node i now announces n data of the form: “Bit bk is 
rf” for 1 < k < n using the protocol for sender anonymity. Likewise, node j 
announces “Bit bk is rj” for 1 < k < n. Nodes i and j now discard all bits for 
which rj = rj and use the remaining bits as a key. Note that an adversary can 
only learn whether bk = rj or bk = rj if the two announcements are the same. 
If rj j ^ rj, the adversary does not learn who has which bit. 
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However, there is no channel between Si and Sj that is not monitored by the 
colluding players. Thus, it cannot be possible to establish a secret bit between 
ki and kj, since the only communication allowed is classical and public [26]. 
This establishes the contradiction and shows that the sender’s anonymity can 
be broken if the graph can be partitioned. □ 

Furthermore, note that each player j needs to share one bit of key with at least 
two other players. Otherwise, his anonymity can be compromised. We can phrase 
this in terms of the key-sharing graph as 

Corollary 1. Each node j S V of the key-sharing graph G = (V,E), used by a 
protocol P for anonymous transmissions, where the only resource available to the 
n players is pairwise shared keys, a broadcast channel and public communication, 
must have degree d > 2. 

Proof. Suppose on the contrary, that an arbitrary node j has degree 1: it has 
only one outgoing edge to another node k. Clearly, node k can partition the key- 
sharing graph into two disjoint sets .S'i = {j} and S 2 = V\ {j, k}. By Lemma 1, 
node k can break j’s anonymity. □ 

Corollary 2. Any protocol P that achieves sender anonymity, where no players 
collude and the only resource available to the n players is pairwise shared keys, 
a broadcast channel and public communication, needs at least n bits of pairwise 
shared keys. 

Proof. Consider again the key-sharing graph G = (V,E). Suppose on the con- 
trary, that only k < n bits of shared keys are used. Then there must be at least 
one node of degree 1 in the graph. Thus, by Corollary 1 at most n bits of shared 
keys are necessary. □ 

Corollary 3. Any protocol P that achieves sender anonymity and is resistant 
against collusions oft < n— 1 players, where the only resources available to the n 
players are pairwise shared keys, a broadcast channel and public communication, 
needs at least n(n— l)/2 bits of pairwise shared keys. 

Proof. Again consider the key-sharing graph G. Suppose on the contrary, that 
only k < n(n — l)/2 bits of shared keys are used. However, then there are only 
k < n(n — l)/2 edges in a graph of n nodes. Then G is not fully connected 
and there is a set of t = n — 2 colluding nodes which can partition the key- 
sharing graph. By Lemma 1, they can then break the sender’s anonymity. Thus 
n(n — l)/2 bits of pairwise shared key are necessary to tolerate up to t < n — 1 
colluding players. □ 

2.4 Quantum Resources 

We assume familiarity with the quantum model [26]. The fundamental resource 
used in our protocols are n-party shared entangled states of the form 


i*> = -=ao"> + m) = -=(io)® n + |i)n- 
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These are commonly known as generalized GHZ states [21]. By “shared” we 
mean that each of the n players holds exactly one qubit of \P). They could have 
obtained these states at an earlier meeting or distribute and test them later on. 

The key observation used in our protocols is the fact that phase flips and 
rotations applied by the individual players have the same effect on the global 
state no matter who applied them. Consider for example the phase flip defined 
by 



If player number i applies this transformation to his state, the global transfor- 
mation is Ui = w here / is the identity transform. We now 

have Vi e {1, . . . ,n} : Ui\P) = (|0 n ) — |l n ))/-\/2. Note that this transformation 
takes place “instantaneously” and no communication is necessary. 

3 Traceless Quantum Protocols 

3.1 Model 

To obtain traceless anonymous transmissions we allow the players to have access 
to a generalized GHZ state. We assume that the n players have access to the 
following resources: 

1. n-qubit shared entangled states \P) = (|0 n ) + |l"))/\/2 on which the players 
can perform arbitrary measurements. 

2. A reliable broadcast channel. 


3.2 Sending Classical Bits 

To start with, we present a protocol to send a classical bit b anonymously, if 
the n players share an n-qubit entangled state \P). For now, we assume that 
only one person wants to send in each round of the protocol and deal with the 
case of multiple senders later on. We require our protocol to have the following 
properties: 

1. (Correctness) If all players are honest, they receive the data item d that was 
sent by the sender. If some players are malicious, the protocol aborts or all 
honest players receive the same data item d, not necessarily equal to d. 

2. (Anonymity) If up to t < n — 2 players are malicious, the sender and receiver 
stay anonymous. 

3. (Tracelessness) The protocol is sender and receiver traceless. 

Protocol. Let’s return to the original dinner table scenario described earlier. 
Suppose Alice, one of the dinner guests, wishes to send a bit d € D = {0, 1} 
anonymously. For this she uses the following protocol: 
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Protocol 1: ANON(d) 

Prerequisite: Shared state (|0") + |l"})/\/2 

1: Alice applies a phase flip <j z to her part of the state if d = 1 and does 
nothing otherwise. 

2: Each player (inch Alice): 

- Applies a Hadamard transform to his/her qubit. 

- Measures his/her qubit in the computational basis. 

- Broadcasts his/her measurement result. 

- Counts the total number of l’s, k, in the n measurement outcomes. 

- If A; is even, he/she concludes d = 0, otherwise d = 1. 

3: The protocol aborts if one of more players do not use the broadcast 
channel. 


Correctness. First of all, suppose all parties are honest. Since Alice applies 
the phase flip cr z depending on the value of the bit d she wishes to send, the 
players obtain the state (|0") + \l n ))/\/2 if d = 0 and (|0 n ) - |l n ))/\/2 if d = 1. 
By tracing out the other players’ part of the state, we can see that no player 
can determine on his own whether the phase of the global state has changed. 
We therefore require the players to first apply a Hadamard transform H to their 
qubit. This changes the global state such that we get a superposition of all strings 
x £ {0, 1}” with an even number of l’s for no phase flip and an odd number of 
l’s if a phase flip has been applied: 


H ®n ^_L ( | 0 n ) + ( _ 1)d | r)) ^J _ 


1 

^ 2^+1 


£ |*> +(-!)<* £ 

^e{o,i}" *e{o,i}> 

£ (l + (-lrt|i)'. 


*£{ 0 , 1 }" 


( 



where \x\ denotes the Hamming weight of the string x. Thus we expect an even 
number of l’s if d = 0 and an odd number of l’s if d = 1. The players now measure 
their part of the state and announce the outcome. This allows each player to 
compute the number of l’s in the global outcome, and thus d. If more than one 
player had applied a phase flip, ANON computes the parity of the players inputs. 
Broadcasting all measurement results needs n uses of a broadcast channel. 

Now suppose that some of the players are malicious. Recall that we assume 
that the players use a reliable broadcast channel. This ensures an honest player 
obtains the same value for the announcement. Thus two honest parties will never 
compute a different value for the sent data item d. Further, note that it may 
always be possible that one or more malicious players do not use the broadcast 
channel. This consequently results in an abort of the protocol. We conclude that 
the correctness condition is satisfied. 
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Anonymity. As we noticed in Section 2, the resulting global state is indepen- 
dent of the identity of the person applying the phase flip. Since a phase flip is 
applied locally, no transmissions are necessary to change the global state. Sub- 
sequent transmissions are only dependent on the global state. Since this global 
state is invariant under an arbitrary permutation of the honest players and since 
the communication of the individual players depends only on their part of the 
states, the total communication during a run of the protocol P where player 
m sends d, is independent of the role of the player. If the sender is not one of 
the colluding players, then for the set of colluding players, all other players are 
equally likely to be sender. This is precisely the definition of sender anonymity. 
A receiver may be specified. His anonymity is then given directly as every player 
obtains the bit sent. 

Note that a player deviating from the protocol by inverting his measurement 
outcome or applying a phase flip himself will only alter the outcome, but not 
learn the identity of the sender. The same discussion holds when the protocols 
is executed multiple times in succession or parallel. 

Tracelessness. The most interesting property of our quantum protocol is that 
it is completely traceless: The classical communication during the protocol is 
solely dependent on the global state, which is the same no matter who the 
sender is. This means that Alice’ communication is independent of her bit d. 
The randomness is now determined by the measurement results of the global 
state, which has already been altered according to the players inputs. Thus, the 
traceless condition is satisfied, because there is thus no record of Alice sending. 

We believe that the tracelessness is a very intuitive property of the quan- 
tum state, as sending d simply changes the overall probability distribution of 
measurement outcomes instead of the individual messages of the sender. Note, 
however, that if we had first measured the state |<^) in the Hadamard basis to 
obtain classical information and then allowed the sender to invert the measured 
bit to send d 1 , our protocol would no longer be traceless. We leave no record 
of Alice’ activity in the form of classical information. Alice can later always deny 
that she performed the phase flip. Whereas this is stronger than classical proto- 
cols, it also makes our protocol more prone to disruptors. Unlike in the classical 
scenario, we cannot employ mechanisms such as traps suggested by Chaum [11], 
and Waidner and Pfitzmann [38] , to trace back disruptors. If one of our players 
is determined to disrupt the channel by, for example, always applying a phase 
flip himself, we are not able to find and exclude him from the network. 

3.3 Anonymous Entanglement 

The dinner guests realize that if they could create entanglement with any of the 
other players anonymously, they could teleport a quantum state to that player 
anonymously as well. We define the notion of anonymous entanglement, which 
may be useful in other scenarios as well: 

Definition 6. If two anonymous players A and B share entanglement, we speak 
of anonymous entanglement (AE). 
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Definition 7. If two players A and B share entanglement, where one of them 
is anonymous, we speak of one-sided anonymous entanglement (one-sided AE). 

It is possible to use shared entanglement together with classical communication 
to send quantum information using quantum teleportation [4]. Anonymous en- 
tanglement together with a protocol providing classical sender anonymity thus 
forms a virtual channel between two players who do not know who is sitting at 
the other end. This allows for easy sender and receiver anonymity for the trans- 
mission of qubits. Note that it is also possible to use anonymous entanglement 
to obtain a secure classical anonymous channel. Unlike ANON, this provides 
security of the data as well. Classically, such a virtual channel would have to be 
emulated by exchanging a key anonymously. We require that if all players are 
honest, the sender and recipient succeed in establishing an EPR pair. Further- 
more, the protocol should achieve sender and receiver anonymity with regard to 
the two parts of the shared state. If one or more players are dishonest, they may 
disrupt the protocol. 

Protocol. We use the same resource of shared states \Hf) to establish anonymous 
entanglement for transmitting information by using an idea presented in the 
context of quantum broadcast [2]. More general protocols are certainly possible. 
For now, we assume that there are exactly two players, sender s (Alice) and 
receiver r (Bob), among the n players interested in sharing an EPR pair. If more 
players are interested, they can use a form of collision detection described later. 


Protocol 2: AE 

Prerequisite: Shared state (|0 n ) + |l"))/\/2. 

1: Alice (s) and Bob (r) don’t do anything to their part of the state. 

2: Every player j £ U\{.s, r} 

- Applies a Hadamard transform to his qubit. 

- Measures this qubit in the computational basis with outcome m,j. 

- Broadcasts m,j. 

3: s picks a random bit b £r {0, 1} and broadcasts b. 

4: s applies a phase flip a z to her qubit if 6=1. 

5: r picks a random bit b' £r {0, 1} and broadcasts b' . 

6: r applies a phase flip a z to his qubit, if b © ©j € v\{«,r} m j = %• 


Correctness. The shared state after the n— 2 remaining players applied the 
Hadamard transform becomes: 

IA ® Ib ® tf 0( "- 2) (^(|0 n ) + in)) = 

= -=L= ]T (|00)|*) + (— i)'* l |ii)| a; ». 

V2 zsfo.l }"- 2 
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All players except Alice and Bob measure this state. The state for them 
is thus (|00) + (— l)l x l |11))/ \/2. After Alice’s phase flip the system is in state 
(|00) + (— l)l x l ffife |ll))/v / 2. The sum of the measurements results gives \x\ = 
0j'ev\{s r j rrij. Thus Bob can correct the state to (|00) + 1 11)) / \/2 as desired. 

Anonymity. The measurement outcomes are random. Thus, the players obtain 
no information during the measurement step. Likewise, the bits broadcast by 
Alice and Bob are random. Thus both of them remain hidden. Note that the 
protocol is resistant to collusions of up to n — 2 players: The combined measure- 
ment outcomes still do not carry any information about Alice and Bob. 

3.4 Sending Qubits 

Let’s return to the dinner table once more. After they have been dining for 
hours on end, Bob, the waiter, finally shows up and demands that the bill is 
paid. Alice, one of the dinner guests, is indeed willing to pay using her novel 
quantum coins, however, does not want to reveal this to her colleagues. The 
goal is now to transmit an arbitrary qubit and not mere classical information. 
As before, we ask that our protocol achieves sender and receiver anonymity and 
is traceless. Furthermore, if all players are honest, the receiver should obtain 
the qubit sent. Note that unlike in the classical case, we do not require that 
all honest players hold the same qubit at the end of the protocol. This would 
contradict the no-cloning property of quantum states. Alice now uses the shared 
EPR pair to send a quantum coin | <f>) to Bob via teleportation [26]. 


Protocol 3: ANONQ(|<£}) 

Prerequisite: Shared states (|0") + |l n ))/\/2 

1: The players run AE: Alice and Bob now share an EPR pair: |T) = 

(| 00 ) + 1 11))/ \/2 

2: Alice uses the quantum teleportation circuit with input \<j>) and EPR 
pair | r), and obtains measurement outcomes mo, mi. 

3: The players run ANON (too) and ANON(mi) with Alice being the 
sender. 

4: Bob applies the transformation described by mo, mi on his part of IT) 
and obtains | <f>). 


If all players are honest, after step 1, Alice and Bob share the state | T) = 
(|00) + 11))/ anonymously. The correctness condition is thus satisfied by the 
correctness of quantum teleportation. As discussed earlier, AE and ANON(6) do 
not leak any information about Alice or Bob. Since no additional information is 
revealed during the teleportation step, it follows that ANONQ(|</>)) does not leak 
any information either and our anonymity condition is satisfied. In our example, 
we only wanted Alice to perform her payment anonymously, whereas Bob is 
known to all players. Our protocol also works, however, if Alice does not know 
the identity of Bob. 
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4 Dealing with Multiple Senders 

So far, we have assumed that only a single person is sending in any one round. 
In reality, many users may wish to send simultaneously, leading to collisions. A 
user can easily detect a collision if it changes the classical outcome of the trans- 
mission. Depending on the application this may be sufficient. However, it may be 
desirable to detect collisions leading to the same outcome. This is important if we 
want to know the value of each of the bits sent and not only their overall parity. 

The simplest way to deal with collisions is for the user to wait a random num- 
ber of rounds, before attempting to resend the bit. This method was suggested by 
Chaum [11] and is generally known as ALOHA [34]. Unfortunately this approach 
is rather wasteful, if many players try to send simultaneously. Alternatively one 
could use a reservation map technique based on collision detection similar to 
what was suggested by Pfitzmann et al. [28]: For this one uses n applications of 
collision detection (of [log n] + 1 rounds each) to reserve the following n slots. 

We will now present a simple quantum protocol to detect all kinds of colli- 
sions, provided that no user tries to actively disrupt the protocol. We use the 
same resource, namely shared entangled states \^). The important point of this 
protocol is that it is traceless. 

4.1 Protocol 

Before each round of communication, the n players run a ([logn] + l)-round 
test to check, whether a collision would occur. For this they require [log n] + 1 
additional states of the form |iQ = (|0 n ) + |l”})/\/2. Each state is rotated before 
the start of the collision detection protocol. Let 

Uj = R z (- ir/2?) 0 ^ ° /2 , ^ 0 

and map the jth state to tj ) = Uj |>F). This could for example be done by a 
dedicated player or be determined upon distribution of the entangled states |<F). 


Protocol 4: Collision Detection 

Prerequisite: [logn] + 1 states |lF) = (|0") + |l"})/\/2 

1: A designated player prepares [logn] + 1 states by rotations: 

For 0 < j < [logn], he applies R z {—n/ V ) to his part of one <7) to 
create | tj). 

2: In round 0 < j < [log n] each of the n players 

- Applies R z (ir/2 : >) to his part of the state | tj), if he wants to send. 

- Applies a Hadamard transform to his part of the state. 

- Measures in the computational basis. 

- Announces his measurement result to all other players. 

- Counts the total number of l’s, kj, in the measurement results. 

- If kj is odd, concludes a collision has occurred and the protocol ends. 
3: If all kj are even, exactly 1 player wants to send. 
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4.2 Correctness and Privacy 

Let’s first take an informal look, why this works. In round j with 0 < j < [log n \ , 
each user who wishes to send applies a rotation described by R z (tt/2 : >) to his 
part of the state. Note that if exactly one user tries to send, this simply rotates 
the global state back to the original state \F) = (|0 n ) + |l n })/\/2. If k > 1 users 
try to send, we can detect the collision in round j such that k = 2 J m + 1 where 
msNis odd: First \tj) is rotated back to \Hf) by the first of the k senders. The 
state is then rotated further by an angle of (tt/2 3 ) ■ 2 j rn = rmr. But 



applied to |>F} gives \F') = ±*(|0”) — \\ n ))/y/2, where we can ignore the global 
phase. The users now all apply a Hadamard transform to their part of the state 
again, measure and broadcast their measurement results to all players. As before, 
they can distinguish between \<P) and \\P'), by counting the number of l’s in the 
outcome. If the number of users who want to send in round j is not of the form 
2 + 1, the players may observe an even or odd number of l’s. The crucial 
observation is that in [logn] + 1 rounds, the players will obtain \F') at least 
once, if more than one user wants to send, which they can detect. If no phase 
flip has been observed in all rounds of the collision detection protocol, the players 
can be sure there is exactly one sender. The key to this part of the protocol is 
the following simple observation: 

Lemma 2. For any integer 2 < k < n, there exist unique integers m and j, 
with m odd and 0 < j < [logn], such that k = 2- J rn+ 1. 

Proof. By the fundamental theorem of arithmetic we can write k - 1 = 2 ] rn for 
unique j, m e N where to is odd. We have j < [log n] , since 2 < k < n. Thus 
k = 2 j m + 1. □ 

Corollary 4. [logn] + 1 rounds, using one state (|0 n ) + |l n ))/\/2 each, are 
sufficient to detect 2 < k < n senders within a group of n players. 

Proof. Using Lemma 2 we can write k = 2hn+l with 0 < j < [log n] . In round j 
the final state will be R z ((2^m) ■ {n/2i))\<P) = R z (rmr)\F) = ±f(|0 n ) - |l n ))/\/2, 
which the players can detect. □ 

There exists a classical protocol already suggested by Pfitzmann et al. [37] using 
0(n 2 logn) bits of private shared randomness. However, this protocol is not 
traceless as desired by our protocol. Our protocol preserves anonymity and is 
traceless by the same argument used in Section 3.2. 

When sending quantum states, collisions are not so easy to detect, since they 
do not change the outcome noticeably. The protocol to establish anonymous 
entanglement relies on the fact that only two players refrain from measuring. 
We thus require some coordination between the two players. Here, we can make 
use of the same collision detection protocol as we used to send classical bits: First 
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run the collision detection protocol to determine the sender. The sender again 
expresses his interest in indicating that he wants to send by employing rotations. 
Then perform another application of collision detection for the receiver. 

5 Conclusions and Future Work 

We have presented a protocol for achieving anonymous transmissions using 
shared quantum states together with a classical broadcast channel. The main 
feature of this protocol is that, unlike all classical protocols, it prevents later re- 
construction of the sender. This indicates that shared entangled states are very 
well suited to achieve anonymity. Perhaps similar techniques could also play an 
important role in other protocols where such a traceless property is desirable. 

Our protocol is a first attempt at providing anonymous transmissions with 
this particular property. More efficient protocols may be possible. Perhaps a 
different form of quantum resource gives an additional advantage. However, we 
believe that our protocol is close to optimal for the given resources. We have 
also not considered the possibility of allowing quantum communication between 
the players, which could be required by more efficient protocols. It is also open 
whether a better form of collision detection and protection against malicious 
disruptors is possible. The states used for our collision detection protocol are 
hard to prepare if n is very large. Furthermore, using shared entangled states, it 
is always possible for a malicious user to measure his qubit in the computational 
basis to make further transmissions impossible. 

So far, we have simply assumed that the players share a certain quantum 
resource. In reality, however, this resource would need to be established before 
it can be used. This would require quantum communication among the players 
in order to distribute the necessary states and at least classical communication 
for verification purposes. The original DC-net protocol suffers from a similar 
problem with regard to the distribution of shared keys, which is impossible to 
do from scratch using only classical channels [26] . Some quantum states on the 
other hand have the interesting property that the players can create and test 
the states among themselves, instead of relying on a trusted third party. 
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Abstract. We consider scenarios in which two parties, each in posses- 
sion of a graph, wish to compute some algorithm on their joint graph 
in a privacy-preserving manner, that is, without leaking any information 
about their inputs except that revealed by the algorithm’s output. 

Working in the standard secure multi-party computation paradigm, 
we present new algorithms for privacy-preserving computation of APSD 
(all pairs shortest distance) and SSSD (single source shortest distance), 
as well as two new algorithms for privacy-preserving set union. Our al- 
gorithms are significantly more efficient than generic constructions. As 
in previous work on privacy-preserving data mining, we prove that our 
algorithms are secure provided the participants are “honest, but curious.” 

Keywords: Secure Multiparty Computation, Graph Algorithms, Privacy. 

1 Introduction 

In this paper, we investigate scenarios with two mutually distrustful parties, each 
in possession of a graph (representing, e.g., a network topology, a distribution 
channel map, or a social network). The parties wish to compute some algorithm 
on their combined graph, but do not wish to reveal anything about their private 
graphs beyond that which will be necessarily revealed by the output of the 
algorithm in question. 

For example, consider two Internet providers who are contemplating a merger 
and wish to see how efficient the resulting joint network would be without reveal- 
ing the details of their existing networks; or two transportation companies trying 
to determine who has the greatest capacity to ship goods between a given pair 
of cities without revealing what that capacity is or which distribution channels 
contribute to it; or two social networking websites wishing to calculate aggre- 
gate statistics such as degrees of separation and average number of acquaintances 
without compromising privacy of their users, and so on. 

In this paper, we construct privacy-preserving versions of classic graph algo- 
rithms for APSD (all pairs shortest distance) and SSSD (single source shortest 
distance). Our algorithm for APSD is new, while the SSSD algorithm is a privacy- 
preserving transformation of the standard Dijkstra’s algorithm. We also show 
that minimum spanning trees can be easily computed in a privacy-preserving 
manner. As one of our tools, we develop protocols for privacy-preserving set 
union, which are results of independent interest. 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 236-252, 2005. 
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We demonstrate that our constructions are significantly more efficient than 
those based on generic constructions for secure multi-party computation such 
as Yao’s garbled circuits [39]. Some of the efficiency gain is due to our use of 
canonical orderings on graph edges. We believe that this technique may find 
applicability beyond the problems considered in this paper. 

We prove that our constructions are secure in the semi-honest model. Assum- 
ing that a party correctly follows the protocol, there is no efficient adversary that 
can extract more information from the transcript of the protocol execution than 
is revealed by that party’s private input and the result of the graph algorithm. 
Our choice of the semi-honest model follows previous work on privacy-preserving 
data mining such as Lindell and Pinkas’ construction for a privacy-preserving 
version of the ID3 decision tree learning algorithm [28], and constructions by 
Yang et al. for privacy-preserving classification [38] . 

In general, the semi-honest model seems to be the right fit for our setting, 
where there is no realistic way to verify that the parties are submitting their 
true graphs as private inputs. The best we could hope for in the case of actively 
malicious participants is a protocol in which the parties first commit to their 
graphs, and then prove at every step of the protocol that their inputs match their 
commitments. This would greatly complicate the protocols without providing 
any protection against parties who maliciously choose their graphs in such a way 
that the result of the computation on the joint graph completely reveals the other 
party’s input. We leave investigation of privacy-preserving graph algorithms in 
the model with malicious participants to future work. 

This paper is organized as follows. We survey related work in section 2, 
then present our definition of privacy in section 3 and our cryptographic toolkit, 
including a construction for private set union, in section 4. Section 5 contains 
the main results of the paper: privacy-preserving APSD and SSSD algorithms. 
Their complexity is analyzed in section 6. Conclusions are in section 7. 

2 Related Work 

This paper follows a long tradition of research on privacy-preserving algorithms 
in the so called secure multiparty computation (SMC) paradigm. Informally, se- 
curity of a protocol in the SMC paradigm is defined as computational indistin- 
guishability from some ideal functionality , in which a trusted third party accepts 
the parties’ inputs and carries out the computation. The ideal functionality is 
thus secure by definition. The actual protocol is secure if the adversary’s view in 
any protocol execution can be simulated by an efficient simulator who has access 
only to the ideal functionality, i.e., the actual protocol does not leak any infor- 
mation beyond what is given out by the ideal functionality. Formal definitions 
for various settings can be found, for example, in [6,7,22]. 

Any polynomial-time multi-party computation can be done in a privacy- 
preserving manner using generic techniques of Yao [39] and Goldreich, Micali, 
and Wigderson [23]. Generic constructions, however, are sometimes impractical 
due to their complexity. Recent research has focused on finding more efficient 
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privacy-preserving algorithms for specific problems such as computation of ap- 
proximations [18], auctions [33], set matching and intersection [20], surveys [19], 
computation of the k-th ranked element [1] and especially data mining problems 
such as privacy-preserving computation of decision trees [28], classification of 
customer data [38], and mining of vertically partitioned data [16,37]. 

The techniques we use in this paper are closely related to those previously 
used in the cryptographic version of privacy-preserving data mining, e.g., by 
Lindell and Pinkas in their privacy-preserving transformation of the ID3 algo- 
rithm [28]. We, too, use generic Yao’s protocol [39,29] as a building block. Yao’s 
protocol can be implemented using efficient constructions for oblivious trans- 
fer [31,32] and secure function evaluation [30]. 

In this paper, we aim to follow the SMC tradition and provide provable 
cryptographic guarantees of security for our constructions. Another line of re- 
search has focused on statistical privacy in databases, typically achieved by ran- 
domly perturbing individual data entries while preserving some global proper- 
ties [4,2,5,3,26,12,17]. A survey can be found in [36]. The proofs of security in 
this framework are statistical rather than cryptographic in nature, and typi- 
cally permit some leakage of information, while supporting more efficient con- 
structions. In this paradigm, Clifton et al. have also investigated various data 
mining problems [10,24,35,25], while Du et al. researched special-purpose con- 
structions for problems such as privacy-preserving collaborative scientific analy- 
sis [14,13,34,15]. Recent work by Chawla et al. [8] aims to bridge the gap between 
the two frameworks and provide rigorous cryptographic definitions of statistical 
privacy in the SMC paradigm. 

Another line of cryptographic research on privacy focuses on private infor- 
mation retrieval (PIR) [9,21], but the problems and techniques in PIR are sub- 
stantially different from this paper. 

3 Definition of Privacy 

We use a simplified form of the standard definition of security in the static 
semi-honest model due to Goldreich [22] (this is the same definition as used, for 
example, by Lindell and Pinkas [28]). 

Definition 1. (computational indistinguishability): Let S C {0,1}*. Two en- 
sembles (indexed by S), X = and Y = {Yu,}u, e s are computation- 

ally indistinguishable (by circuits) if for every family of polynomial-size circuits, 
{Ai}n£N, there exists a negligible (Ye., dominated by the inverse of any polyno- 
mial) function p : N [0,1] so that 

| Pr [D n (w,X w ) = 1] - Pr [D n (w,Y w ) = 1]| < /z(H) 

In such a case we write X = Y. 

Suppose / is a polynomial-time functionality (deterministic in all cases con- 
sidered in this paper), and n is the protocol. Let x and y be the parties’ respective 
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private inputs to the protocol. For each party, define its view of the protocol as 
(x. r 1 , m{ , . . . ,m\) (respectively, ( y,r 2 ,m{ , . . . ,to 2 )), where r 1,2 are the parties’ 
internal coin tosses, and to® is the j th message received by party i during the 
execution of the protocol. We will denote the i th party’s view as view®® (a:, y), and 
its output in the protocol as output®® (x, y). 

Definition 2. Protocol tt securely computes deterministic functionality f in the 
presence of static semi-honest adversaries if there exist probabilistic polynomial- 
time simulators Si and S 2 such that 

{Si(x,/(x,y))} X)J/e{0) i}. = {viewj(x,y)}^ {0) i}* 

{S 2 (y,f(x, y))}x,j/e { o,i}* = {viewJ(x,y)} X;ye{0 ,i}«. 

where |x| = \y\. 

Informally, this definition says that each party’s view of the protocol can be 
efficiently simulated given only its private input and the output of the algorithm 
that is being computed (and, therefore, the protocol leaks no information to a 
semi- honest adversary beyond that revealed by the output of the algorithm). 

4 Tools 

As building blocks for our algorithms, we use protocols for privacy-preserving 
computation of a minimum min (x,y) and set union Si U S2 ■ 

In the minimum problem, the parties have as their respective private inputs 
integers xi and X 2 which are representable in n bits. They wish to privately com- 
pute to = min(xi, X2). Because this problem is efficiently solved by a simple cir- 
cuit containing O(n) gates, it is a good candidate for Yao’s generic method [39]. 
An implementation of this functionality with Yao’s garbled circuit requires 2 
communication rounds with 0(n) total communication complexity and 0(n) 
computational complexity. 

4.1 Privacy-Preserving Set Union 

In the set union problem, parties Pi and P 2 have as their respective private 
inputs sets Si and S 2 drawn from some finite universe U. They wish to compute 
the set S = Si U S2 in a privacy-preserving manner, i.e., without leaking which 
elements of S are in the intersection Si fl S2. We will define |Si| = si, IS2I = S2, 
|S| = s, and \U\ =u. 

In this section, we give two solutions for privacy-preserving set union: the 
iterative method, and the tree-pruning method. Both require communication 
and computational complexity that is logarithmic in u, provided s is small (note 
that even if we are not concerned about privacy, computing the set union requires 
at least 0 (s lgu) bandwidth, although it can be done in 1 round). Appendix B 
surveys several previously proposed techniques that can be used to compute the 
set union, but these techniques are all either linear in u (or worse), or do not 
fully preserve privacy. 
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Iterative method. The basic idea of the iterative method is to build up S one 
element at a time, from “smallest” to “largest.” Before the protocol begins, 
both parties agree upon a canonical total ordering for the entire universe U. As 
a result, each element in U is given an integer label with lg u bits. In addition, 
we need a label representing oo, for which can simply use the integer u + 1 . The 
protocol proceeds as follows: 

Step 1. Set S' = 0. 

Step 2. Pi selects mi as the canonically smallest element in Si, or sets mi = oo 
if Si = 0. P 2 likewise selects m 2 as the canonically smallest element in S 2 , or 
sets mi = 00 if Si = 0. 

Step 3. Using a protocol for private minimum, Pi and P 2 privately compute 
rn = min(TOi,TO 2 ). 

Step Jy. If to = 00 , stop and return S. Otherwise, S = S U {to} and the parties 
remove to from their input sets (it may be present in one or both). Then return 
to step 2. 

The protocol preserves privacy because, given the output set S, a simulator 
can determine the value of to at each iteration. The protocol used for computing 
the minimum is private, so there exists an efficient algorithm that can simulate 
its execution to the party Pi given its input and the output to (likewise for 
P 2 ). The simulator for the iterative method protocol uses the simulator for the 
minimum protocol as a subroutine, following the standard hybrid argument. 

The iterative method protocol requires s + 1 iterations, and in each itera- 
tion the minimum of two (lg u)-bit integers is privately computed. Using Yao’s 
method, this requires a circuit with 2 lg u inputs and 0(lg u) gates. The 2 lg u 
oblivious transfers can all take place in parallel, and since Yao’s method re- 
quires a constant number of rounds the whole protocol takes O(s) communi- 
cation rounds. The total communication and computational complexity for the 
iterative method is 0(s lgu). 

Tree-pruning method. Before the tree-pruning protocol begins, the participants 
agree on a (lg u)-bit binary label for each element in the universe (note that a 
canonical total ordering would automatically provide such a label). The basic 
idea of the protocol is that the participants will consider label prefixes of in- 
creasing length, and use a privacy-preserving Bit- Or protocol (see appendix C) 
to determine if either participant has an element with that prefix in his set. 

Initially, the single-bit prefixes “0” and “1” are set “live.” The protocol pro- 
ceeds through lgu rounds, starting with round 1. In the <th round, the partic- 
ipants consider the set P of i-bit “live” prefixes. For each prefix p £ P, each 
participant sets his respective 1-bit input to 1 if he has an element in his set 
with prefix p, and to 0 if he does not have any such elements. The participants 
then execute a privacy-preserving Bit-Or protocol on their respective 1-bit in- 
puts. If the result of the Bit-Or protocol is 1, then pO and pi are set as live 
(i + l)-bit prefixes. Otherwise, pO and pi are dead prefixes. 

By a simple inductive argument, the number of live prefixes in each round 
does not exceed 2 • \S\, because an i-bit prefix p t = b\ . . . b t can be live if and 
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only if at least one of the participants has an element whose label starts with 
bi . . . bi- 1, and the number of such elements cannot exceed the total number of 
elements in the union, i.e., \S\. 

In the last round ( i = lg u) , the length of the prefix is the same as the length 
of the binary labels, and the entire set P of live prefixes is declared to be the 
output S of the privacy-preserving set union protocol. 

The tree-pruning protocol preserves privacy because, given the output set 
S, a simulator can determine the output of each of the Bit-Or protocols. As 
in the case of the iterative method protocol, we can construct a simulator for 
the tree-pruning protocol that uses a simulator for the Bit-Or protocol as a 
subroutine, and prove its correctness using a hybrid argument. The construction 
is simple and is omitted for brevity. 

The tree-pruning protocol requires lg u iterations, and in each iteration the 
pairwise Bit-Or of at most 2 s bits is computed. These computations can all 
take place in parallel, so the protocol requires O(lgw) communication rounds. 
Each iteration requires 0 (s ) communication and computational complexity, so 
the entire protocol has complexity 0 (s lgu). Both the iterative method and tree 
pruning protocols have the same complexity, but different numbers of rounds. 
The iterative method requires fewer rounds when s = o(lgu). 

5 Privacy-Preserving Algorithms on Joint Graphs 

We now present our constructions that enable two parties to compute algorithms 
on their joint graph in a privacy-preserving manner. Let G i and G 2 be the two 
parties’ respective weighted graphs. Assume that G 1 = (Vj , Ei , vji) and G2 = 
(V2, E'2, W‘2) are complete graphs on the same set of vertices, that is, Vj = V2 
and Ei = E 2 . Let -uq(e) and w 2 (e) represent the weight of edge e in G\ and G 2 , 
respectively. To allow incomplete graphs, the excluded edges may be assigned 
weight 00. We are interested in computing algorithms on the parties’ joint min- 
imum graph gmin(Gi, G 2 ) = ( V,E,w m i n ) where w m i n (e) = min(«;i(e),«;2(e)), 
since minimum joint graphs seem natural for application scenarios such as those 
considered in section 1 . 

5.1 Private All Pairs Shortest Distance (APSD) 

The All Pairs Shortest Distance (APSD) problem is the classic graph theory 
problem of finding shortest path distances between all pairs of vertices in a 
graph (see, e.g., [ 11 ]). We will think of APSD(G) as returning a complete graph 
G' = ( V,E',w ') in which w'{eij) = dc(i,j ) and V is the original edge set of 
G. Here dc(i,j ) represents the shortest path distance from i to j in G. This 
problem is particularly well suited to privacy-preserving computation because 
the solution “leaks” useful information that can be used by the simulator. 

To motivate the problem, consider two shipping companies who are hoping 
to improve operations by merging so that they can both take advantage of fast 
shipping routes offered by the other company. They want to see how quickly 
the merged company would be able to ship goods between pairs of cities, but 
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they don’t want to reveal all of their shipping times (and, in particular, their 
inefficiencies) in case the merger doesn’t happen. In other words, they wish to 
compute APSD(G) where G = gmin(Gi , G-i)- 

The basic idea behind our construction is to build up the solution graph by 
adding edges in order from shortest to longest. The following algorithm takes as 
input the parties’ complete graphs G\ and G<i. The graphs may be directed or 
undirected, but they must have strictly positive weight functions. 


1. For notational convenience we introduce a variable k, initially set to 1, that 
represents the iteration count of the algorithm. Color each edge in E “blue” 
by letting B ^ denote the set of blue edges in the edge set E at iteration 
k, and setting B ^ = E. Let R ^ denote the set of “red” edges, R ^ d = 
E — B t - k> . The lengths of red edges have reached their final values and will 
not change as the algorithm proceeds, while the lengths of blue edges may 
still decrease. 

2. A public graph G ^ = (V, E, Wq 0> ) is created. Its edges are all initially 

weighted as WQ°\e) = oo. When the algorithm terminates after n iterations, 
we will have = dc(i,j) and B^ = 0. 

3. The parties compute the following public value 


TO o “a {e) 


(1) 


and the respective private values 


4 fe) = min wUe), and 

(2) 


4 fe) = n >if> i; W’2(e) 

eeB(fc-i) 

(3) 


4. Now the parties privately compute the length of the smallest blue edge 

among all three graphs, m ^ us- 

ing a generic protocol for private minimum (section 4). This protocol does 
not reveal the larger value. 

5. The parties form the following public set 

S^ = {e\wt 1 \e)=m^} (4) 

and the respective private sets 

S[ k) = {e\w 1 (e)=m^}, and (5) 

Si k) = {e\w 2 (e) = m W} (6) 

By construction, S^ k \ S[ k \ and contain only blue edges. 

6. First, the parties privately compute the set union = S ^ U s[ k ^ U S^ k \ 
This is done using the privacy-preserving set union algorithm from section 4. 
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Next, the color of each edge e e is changed from blue to red by setting 
= p( fc_1 ) — £(*). Define a weight function w'q^ by 


w' 0 (k) ( e ) = 


m< fc > if e g SW 
w o k l \ e ) otherwise 


(7) 


7. Examine triangles with an edge an edge e jk e and an edge 

Cjfe € B (k> . Define the weight function Wq^ by fixing these triangles if they 
violate the triangle inequality under WQ k \ More precisely, if w[^ (cy ) + 

k \ e jk) < u>o k) (e ik ), then define w£\e ik ) = u4 k) (e^) + w' 0 (k) (e jk ). Do 
the same for triangles with an edge e R (k K an edge ej k e 5^, and an 
edge ejfc € 

8. If there are still blue edges, go to step 3. Otherwise stop; the graph G\ k) 
holds the solution to APSD(G). 


The algorithm is proved correct in appendix A. The proof of privacy follows. 

Proof (Privacy). We describe a simulator for Pi; the simulator is given Pi’s 
input to the protocol, x, and the output of the protocol, f(x,y) = G’ . The 
simulators are identical for Pi and P 2 except for the asymmetry in the simulation 
of the set union and minimum subprotocols. We assume that simulators for 
the subprotocols exist because they are private protocols. For instance, if Yao’s 
protocol is used then we can use the simulator in [29] . 

We will assume that there are n protocol rounds. The view of Pi is 


{RT m (x 1 ,yi),RT u (x 2 ,y2),RT m (x3,y 3 .), . . . , RT u (x 2n ,y 2 n)} ( 8 ) 


where RT m denotes the real transcript of the private minimum protocol, and 
RT U denotes the real transcript of the private set union protocol. 

We will show in later theorems that the output of each of these protocol 
executions can be computed by the simulator as a polynomial function of G', 
which we will denote as /i™(G / ) and hf(G'). We will also show that Pi’s input 
to each of these protocol executions can be computed as a polynomial function 
of x and G' which we will denote as G’) and g™(x, G’). The simulator can 
therefore use the subprotocol simulators as subroutines, producing the simulated 
transcript 

{ST m (gT(x,G'),hT(G%.. .,ST u (g% n (x,G'),h% n (G'))} (9) 


where ST m and ST U denote the simulated transcripts of the minimum and union 
protocols, respectively. 

We prove a hybrid argument over the simulated views for the minimum and 
set union protocols. First, define the hybrid distribution Hi in which the first i 
minimum/union protocols are simulated and the last 2 n — i are real. Formally, 
let Hi(x,y) denote the distribution: 

{ST m (g™(x, G'),h r f l {G ')), . . . , ST u (g?(x, G'),hf{G')), 

RT m (x, ; _i ,y i+ 1 ) , RT u (x i+2 ,y i+2 ),..., RT u (x 2n ,y 2n )} 
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We now prove that Hq(x, y) = H- 2 n {x, y) by showing that for all i. Hi(x, y) = 
H i+1 (x ,y). For the sake of contradiction, assume the opposite, and choose i so 
that Hi(x,y ) ^ H i+ i (x. y). These two distributions differ in only one term, so 
there must be a polynomial-time distinguisher for either 

ST u ( g y(x,G'),h%{G')) and RT u {x uyi ) or 
ST m { S f'{x,G r )ffiT{G t )) and RT m ( Xi , yi ) 

However, this contradicts the privacy of the subprotocols, which implies that no 
such polynomial-time distinguishes exist. 

We now show that for each execution of the set union and minimum sub- 
protocols, Pi’s subprotocol input and the subprotocol output are computable as 
functions of Pi’s input and the output of the entire APSD protocol. 

Theorem 1. m ^ is efficiently computable as a function of G' . 

Proof. The edge weights found in G' are m ( b < TO ( 2 ) < . . . < m {n) . Therefore 
rn/ fe ) is the kth smallest edge weight in G' . 

Theorem 2. S ^ is efficiently computable as a function of G' . 

Proof. S ^ is the set of edges in G' with weight mf k \ 

Theorem 3. m[ k ^ is efficiently computable as a function of G\ and G' . 

Proof. m[ k ^ is the smallest edge weight in G\ that is > mf k ~ 1 ) , allowing that 
m = 0. This is because all edges with weight < m <k ~ l> are in 

Theorem 4. s[ k ^ is efficiently computable as a function of G\ and G' . 

Proof. S ^ is the set of edges in Gi with weight mf k \ 

5.2 Private All Pairs Shortest Path 

While there is only a single all pairs shortest distance solution for a given graph, 
there may be many all pairs shortest path solutions, because between a pair of 
points there may be many paths that achieve the shortest distance. As a side 
effect of engaging in the protocol described in section 5.1, the two participants 
learn an APSP solution. When defining the weight function w ^ by fixing vio- 
lating triangles in u>Q k ) during step 7, a shortest path solution may be associated 
with the fixed edge. Specifically, if u)g k \eij) + WQ k \ejk) < WQ k \eik), then the 
shortest path from * to k is through j. 

In step 6 of subsequent iterations, when adding an edge Cy e to the set 
of blue edges, we can conclude that the shortest path from i to j is the edge 
itself if e,j .Sq^, or is the shortest path solution as computed above if 
eij e 4*°. 

Note that learning this APSP solution does not imply any violation of privacy, 
as it is the APSP solution implied by the APSD solution. 
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5.3 Private Single Source Shortest Distance (SSSD) 


The Single Source Shortest Distance (SSSD) problem is to find the shortest 
path distances from a source vertex s to all other vertices [11]. An algorithm to 
solve APSD also provides the solution to SSSD, but leaks additional information 
beyond that of the SSSD solution and cannot be considered a private algorithm 
for SSSD. Therefore, this problem warrants its own investigation. 

Similar to the protocol of section 5.1, the SSSD protocol on the minimum 
joint graph adds edges in order from smallest to largest. This protocol is very 
similar to Dijkstra’s algorithm, but is modified to take two graphs as input. 

1. Set = w'i and = w 2 - Color all edges incident on the source s blue 
by putting all edges e s j into the set B (0> . Set the iteration count k to 1. 

2. Both parties privately compute the minimum length of blue edges in their 
graphs. 




3. Using the privacy-preserving minimum protocol, compute 

m W = min(mf } ,n4 fc) ). 

4. Each party finds the set of blue edges in its graph with length m,( k \ 

s[ k) = {e s i\w^~ 1 \e s i) = m( fe) }, and 
S^ k) ={e si \w {k ~ l \e si ) = m^} 


5. Using the privacy-preserving set union protocol, compute 

S (k) = s[ k) uS^ k) . 

6. Color the edges in red by setting B k = B < - k ~ 1 ') — j$- k \ Define a weight 
function w£ k) by 


and a weight function v 


•’(e) - 
4'*> by 
fc ’(e) = | 


m<*> ifeeS® 
W i fc_1 ^( e ) otherwise 


if e e S ( -V 
1 ^(e) otherwise 


(10) 


( 11 ) 


7. Similar to the APSD algorithm, form the weight function w[ k ' 1 by fixing the 
triangles in that violate the triangle inequality and contain edges in 
S^ k \ w 2 (k) is likewise formed from w 2 k \ 

If there are still blue edges remaining, go to step 2. Otherwise stop; both par- 
ties now have a graph with each edge incident on s colored red, and with the 
weight of these edges equal to the shortest path distance from s to each vertex. 
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5.4 Minimum Spanning Tree 

Suppose that two frugal telephone companies wish to merge. Each company has 
a cost function for connecting any pair of houses, and they want to connect 
every house as cheaply as possible using the resources available to the merged 
company. In other words, they wish to compute MST(gmin(Gi, G 2 )). If they can 
perform this computation privately, then both companies can see the final result 
without revealing their entire cost functions. 

Both Kruskal’s and Prim’s algorithms for MST are easily turned into private 
protocols using our techniques, because the algorithms already consider edges 
in order from smallest to largest. At each iteration, Kruskal’s algorithm adds 
the shortest edge such that its addition does not form a loop. It is a simple 
task for each party to compute the set of edges which would not form loops, 
and then to privately compute the length of the shortest edge in this set. One 
problem arises when there are multiple edges that share this length. In the short- 
est path algorithms, we addressed this issue by adding all edges of appropriate 
length at the same time using the private set union protocol, but this will not 
work for MST. Instead, we can assign a canonical ordering to the edges, and at 
each step find the shortest length edges that are canonically “first.” This will 
allow a simulator to determine, given the final MST, in what order the edges 
arrived. 

6 Complexity Analysis 

For each algorithm considered in this paper, we calculate the number of rounds, 
the total communication complexity, and the computational complexity, and 
compare them with the generic method. Using Yao’s method on a circuit with 
m gates and n inputs requires 0(1) rounds, 0(m) communication, and 0(m+n) 
computational overhead. Lindell and Pinkas note in [28] that the computational 
overhead of the n oblivious transfers in each invocation of Yao’s protocol typ- 
ically dominates the computational overhead for the m gates, but for correct 
asymptotic analysis we must still consider the gates. 

Complexity of privacy-preserving APSD. For our analysis we will assume that 
the edge set E has size n, and that the maximum edge length is l. The generic 
approach to this problem would be to apply Yao’s Method to a circuit that 
takes as input the length of every edge in G 1 and G 2 , and returns as output 
G = APSD(gmin(Gi, G 2 )). Clearly, such a circuit will have 2nlog/ input bits. 
To count the number of gates, note that a circuit to implement Floyd- Warshall 
requires 0(n 3 / 2 ) minimums and 0(n 3 / 2 ) additions. For integers represented with 
log l bits, both of these functionalities require log l gates, so we conclude that 
Floyd- Warhsall requires 0(n 3 / 2 log l) gates. To compute gmin requires 0(n log l ) 
gates, but this term is dominated by the gate requirement for Floyd- Warshall. 
We conclude that the generic approach requires 0(1) rounds, 0(n 3 / 2 log l) com- 
munication, and 0(n 3 / 2 log l) computational overhead. 
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The complexity of our approach depends on the number of protocol iterations 
k, which is equal to the number of different edge lengths that appear in the 
solution graph. In iteration i, we take the minimum of two (lg Z ) -bit integers, 
and compute a set union of size s*. Because each edge in the graph appears in 
exactly one of the set unions, we also know that JT =1 = n - 

First we will determine the contribution to the total complexity made by 
the integer minimum calculations. If we use Yao’s protocol, then each integer 
minimum requires a constant number of communication rounds, 0(lg Z) inputs, 
and 0(lg Z) gates, so the k calculations together contribute 0{k) rounds, 0(k lg Z) 
communication complexity, and 0(k lg Z) computational complexity. 

Complexity contribution of the set union subprotocols depends on whether we 
use the iterative method or the tree pruning method as described in section 4. 
If the iterative method is used, then the k invocations of set union require a 
total of 0(n) rounds, 0(k\gn) communication complexity, and 0(k\gn) com- 
putational complexity. If the tree-pruning method is used, then O(fclgn) rounds 
are required, but the communication and computational complexity remains 
the same. The asymptotically better performance of the iterative method hides 
the fact that each of the k rounds requires O(lgn) oblivious transfers, which 
are considerably more expensive than the 0(|sj|) private Bit-Or computations 
performed in each of the lg u rounds of the tree-pruning method. 

Using the iterative method for set union, and noting that k = O(n), we con- 
clude that our APSD protocol requires 0(n ) communication rounds, 0(n log n+ 
nlogZ) communication complexity, and 0(n log n + n log Z) computational com- 
plexity. As compared to the generic approach, we have traded more rounds for 
better overall complexity. 

Complexity of privacy -preserving SSSD. Complexity of SSSD is similar to that 
of APSD, except that the number of rounds is k = O(v) and the total number 
of set union operations is v, where v is the number of vertices (Ofe 1 / 2 ) j. We 
conclude that our protocol requires 0(v) rounds, 0(u(log v + log Z)) oblivious 
transfers, and 0(v(\og v + loge)) gates. A generic solution, on the other hand, 
would require 0(v 2 log Z) oblivious transfers. 

7 Conclusions 

In this paper, we presented privacy-preserving protocols that enable two honest 
but curious parties to compute APSD and SSSD on their joint graph. A related 
problem is how to construct privacy-preserving protocols for graph comparison. 
Many of these problems ( e.g ., comparison of the graphs’ respective maximum 
flow values) reduce to the problem of privacy-preserving comparison of two val- 
ues, and thus have reasonably efficient generic solutions. For other problems, 
such as graph isomorphism, there are no known polynomial-time algorithms 
even if privacy is not a concern. Investigation of other interesting graph algo- 
rithms that can be computed in a privacy-preserving manner is a topic of future 
research. 
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A Proof of Private APSD Protocol Correctness 

Before proving the algorithm correct, we prove some supporting lemmas. 
Lemma 1. If an edge e e R k and WQ k \e) = l then \/j > k,w^\e ) = l. 

Proof. Intuitively, this says that once the protocol establishes the length of a red 
edge, it never changes. This follows from the protocol lacking operations that 
alter the length of red edges. 

Lemma 2. For an edge e G R^ k \ w^ k \e) < m (fe) . 

Proof. In step 6 of iteration k, for edges e 6 we set Wq® (e) = nf k> and 
e G R( k \ Apply lemma 1 to complete the proof. 

Lemma 3. For an edge e G B^ k \ WQ C \e) > m^ k f 

Proof. First, we show that for an edge e G B^ k \ WQ k \e) > nf k \ If WQ k \e) = 
m™ then e e S (fc) (and e g B (*)). If w' 0 (k) (e) < m W and e € -B (fe) , then 
wt 1} (e) < m ^ and we would have defined a smaller 

Now, for those edges e where we have W(f\e) < Wg(e) because of step 7, 
we still have w^\e ) > because the right-hand side of the assignment is 
strictly greater than 

Lemma 4. For all edges e, e G R .W ^ w ( 0 k) (e ) < m W and e G B W ^ 
w^(e)>m( k l 

Proof. This is an immediate consequence of lemmas 2 and 3. 

Lemma 5. For every red edge eij G R^ k \ w[^ (ey ) = dc(i,j)- 

Proof. The proof is by induction on k. For k = 0, the result is trivial. We will 
now assume that the result holds for values less than k and prove it for k. 

Because of lemma 1, it is sufficient to prove that for edges G S (k: k 
do(i.j’) = mS k \ We consider two cases. 
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1. The shortest path from i to j in G is the edge e l3 . 

In this case, d G (i,j ) = min(wi (e^), ^(e^)). To complete the proof, it’s 
enough to show that Wq kl \eij) > d G (i,j). Suppose that in some iteration 
h < k we set w^feij ) = w f Q h \eik) + w'q h \ekj) in step 7. Then by inductive 
hypothesis, this implies a shorter path from i to j than the edge e,, which 
is a contradiction. 

2. The shortest path from i to j in G is through k. 

In this case, d G (i,j ) = d G (i, k) + d G (k,j)- WLOG, assume that Wq k \e 3 k) > 
( e-kj )• Then by lemmas 1 and 4, we have that for some h < k, w ^ (e**,) = 
m^ h \ This means that in step 7 of iteration h the protocol set Wq h \eij) = 
Wq h \eik) + w^ h \ekj)- By the inductive hypothesis, wfj h \ e ik) = d G (i, k) and 
w o( e kj ) = dc(k,j). We conclude that Wq h \eij) = dc(i,k) + dc(k,j) and 
therefore that Wq k \eij) < dc(i,k) + dc(k,j). By the same argument as 
in the first case, we also have Wq k \eij) > do(i,k) + da(k,j)- Therefore, 
TO ( *0 = d G (i,k) + d G (k,j ) = d G (i,j). 

It is now a simple task to prove algorithm correctness. 

Proof (Correctness). Suppose the algorithm terminates after n iterations. Then 
R( n ) = E. Apply lemma 5. 


B Survey of Privacy-Preserving Set Union Protocols 

Generic Yao’s method. It is easy to construct a circuit for computing the set 
union. Each party P p inputs one bit for every element e in the universe U. The 
input bit b P i is set to 1 if party P p has element e, in his set, and 0 otherwise. 
The circuit consists of \U\ AND gates, each of which takes as inputs boi and bu 
and outputs o,; = boi A bu. Then o,; = 1 iff element e, is in the set union. Since 
this circuit has O(u) inputs and O(u) gates, we conclude that the computational 
overhead and the communication complexity are both O(u). 

Commutative encryption. Clifton et al. [10] present a simple construction for 
privacy-preserving set union that uses commutative encryption. Each party en- 
crypts the elements in its set, exchanges the encrypted sets with the other party, 
and then encrypts the other party’s encrypted elements with its own key. The 
double-encrypted sets are then combined. Due to commutativity of encryption, 
all elements in the intersection appear as duplicates. They are removed, and the 
remaining elements are decrypted. Scrambling the order of elements may hide 
which elements are in the intersection, but the size of the intersection is still re- 
vealed, thus this method is not secure in the standard sense of definition 2. This 
protocol requires communication and computational complexity 0(|si| + | ,s 2 1 ) • 

Complement of set intersection. When the universe U is small, it is possible to 
use complementation and take advantage of the fact that S\ U .S '2 = SiH S 2 - 



252 J. Brickell and V. Shmatikov 


Freedman et al. [20] present a privacy-preserving protocol for set intersection 
that uses homomorphic encryption which requires 0(k) communication overhead 
and 0(k In In k) computation overhead, where k is the size of the set intersection. 
For applications considered in this paper, sets Si and S 2 are very small, so their 
complements are of size 0(u). As a result, this method requires 0(u In In u) 
computation, which is unacceptable. 

Polynomial set representation. Kissner and Song [27] present a method for rep- 
resenting sets as polynomials, and give several privacy-preserving protocols for 
set operations using these representations. They do not provide a protocol for 
the standard set union problem. Instead, they give a protocol for the “threshold 
set union” problem, in which the inputs are multi-sets and the output is the set 
of elements whose multiplicity of appearance in the union exceed some thresh- 
old; the intersection of the input sets is also revealed. When applied to regular 
sets (as opposed to multi-sets) this protocol does not preserve privacy as the 
intersection is the only information one can hope to keep private. 

C Privacy-Preserving Bit-OR 

First, observe that the circuit for computing Or of 2 bits consists in a single gate. 
Therefore, even the generic construction using Yao’s protocol [39] is efficient, 
requiring a single l-out-of-2 oblivious transfer. 

An alternative construction without oblivious transfers is provided by a se- 
mantically secure homomorphic encryption scheme such as ElGamal. Suppose 
Alice and Bob want to compute Or of their respective bits 6 a and 6 b in a 
privacy-preserving manner (Alice and Bob are honest, but curious). Alice picks 
some cyclic group G of prime order q with generator g where the Decisional 
Diffie-Hellman problem is presumed hard, e.g., the group of quadratic residues 
modulo some large prime p = 2q + 1, and chooses its secret key k at random 
from {0, . . . , q — 1}. Alice sends to Bob its public key q , g, g k together with its 
ciphertext ca, which is created as follows. If 6 a = 0, then ca = (g r ,g kr ), where 
r is randomly selected from {0, . . . , q — 1}. If 6 a = 1, then ca = (g r , g ■ g kr ). 

Upon receipt of ca = (a, ft) and Alice’s public key, Bob computes cb as fol- 
lows. First, it randomly picks r' £ {0, . . . , q — 1}. If 6 b = 0, then cb = (a r ■ ft r ) ■ 
If 6 b = 1, then cb = (»’ , g r ■ ft r )■ Bob returns cb to Alice. 

Alice computes bit 6 by decrypting cb = ( 7,6) with its private key k, i.e., 
6 = -T7. Clearly, if 6 a = 6 b = 0, then 6 = 1. In this case, Alice declares that 
6 a V Ob = 0. If 6 ^ 1, then Alice declares that 6 a V 6 b = 1. 

To verify that this construction preserves privacy, observe that secrecy of 6 a 
follows from the semantic security of ElGamal. Now suppose 6 a = 1- If 6 b = 0, 
then the decrypted plaintext 6 = g r ' . If 6 b = 1, then 6 = g 2r ' . Since B does not 
know r' , it cannot tell the difference. Thus, A does not learn 6 b if 6 a = 1. 

(We are grateful to Stas Jarecki for a helpful discussion of constructions for 
privacy-preserving Bit-Or). 
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Abstract. We introduce a new cryptographic primitive called the blind 
coupon mechanism (BCM). In effect, the BCM is an authenticated bit 
commitment scheme, which is AND-homomorphic. It has not been known 
how to construct such commitments before. We show that the BCM has 
natural and important applications. In particular, we use it to construct 
a mechanism for transmitting alerts undetectably in a message-passing 
system of n nodes. Our algorithms allow an alert to quickly propagate to 
all nodes without its source or existence being detected by an adversary, 
who controls all message traffic. Our proofs of security are based on a 
new subgroup escape problem, which seems hard on certain groups 
with bilinear pairings and on elliptic curves over the ring Z„. 

Keywords: Blind Coupon Mechanism, AND-homomorphic Bit Com- 
mitment, Subgroup Escape Problem, Elliptic Curves Over Composite 
Moduli, Anonymous Communication. 


1 Introduction 

Motivation. As more computers become interconnected, chances increase 
greatly that an attacker may attempt to compromise your system and network 
resources. It has become common to defend the network by running an Intru- 
sion Detection System (IDS) on several of the network nodes, which we call 
sentinels. These sentinel nodes continuously monitor their local network traffic 
for suspicious activity. When a sentinel node detects an attacker’s presence, it 
may want to alert all other network nodes to the threat. However, issuing an 
alert out in the open may scare the attacker away too soon and preclude the 
system administrator from gathering more information about attacker’s rogue 

* Supported in part by NSF grants CCR-0098078, CNS-0305258, and CNS-0435201. 
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exploits. Instead, we would like to propagate the alert without revealing the ids 
of the sentinel nodes or the fact that the alert is being spread. 

We consider a powerful (yet computationally bounded) attacker who observes 
all message traffic and is capable of reading, replacing, and delaying circulating 
messages. Our work provides a cryptographic mechanism that allows an alert 
to spread through a population of processes at the full speed of an epidemic, 
while remaining undetectable to the attacker. As the alert percolates across the 
network, all nodes unwittingly come to possess the signal, making it especially 
difficult to identify the originator even if the secret key is compromised and the 
attacker can inspect the nodes’ final states. 

A New Tool: A Blind Coupon Mechanism. The core of our algorithms is a 
new cryptographic primitive called a blind coupon mechanism (BCM). The 
BCM is related, yet quite different, from the notion of commitment. It consists 
of a set Dsk of dummy coupons and a set Ssk of signal coupons (Dsk H 
Ssk = 0)- The owner of the secret key SK can efficiently sample these sets 
and distinguish between their elements. We call the set of dummy and signal 
coupons, Dsk U Ssk, the set of valid coupons. 

The BCM comes equipped with a verification algorithm Vpk( x) that 
checks if x is indeed a valid coupon. There is also a probabilistic combining 
algorithm CpK(x,y), that takes as input two valid coupons x,y and outputs 
a new coupon which is, with high probability, a signal coupon if and only if at 
least one of the inputs is a signal coupon. As suggested by the notation, both 
algorithms can be computed by anyone who has access to the public key PK of 
the blind coupon mechanism. 

We regard the BCM secure if an observer who lacks the secret key SK (a) 
cannot distinguish between dummy and signal coupons (indistinguishability); 
(b) cannot engineer a new signal coupon unless he is given another signal coupon 
as input (unforgeability); and (c) cannot distinguish randomly chosen coupons 
from coupons produced by the combining algorithm (blinding) . 

Our Main Construction. Our BCM construction uses an abstract group 
structure ( U,G,D ). Here, U is a finite set, G C U is a cyclic group, and D is 
a subgroup of G. The elements of D will represent dummy coupons and the 
elements of G \ D will be signal coupons (see also Figure 1). The combining 
operation will simply be a group operation. To make verification possible, there 
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will need to be an easy way to distinguish elements of G (valid coupons) from 
elements of U\G (invalid coupons). 

In order for the BCM to be secure, the following two problems must be hard 
on this group structure: 

- Subgroup Membership Problem: Given generators for G and D and an 
element y G G, decide whether y€Doiy€G\D. 

- Subgroup Escape Problem: Given a generator for D (but not G), find 
an element of G\D. 

The subgroup membership problem has appeared in many different forms 
in the literature [11,18,28,31,33,16,29]. The subgroup escape problem has not 
been studied before. To provide more confidence in its validity, we later analyze 
it in the generic group model. 

Notice that the task of distinguishing a signal coupon from a dummy coupon 
(indistinguishability) and the task of forging a signal coupon (unforgeability) 
are essentially the subgroup membership and subgroup escape problems. The 
challenge thus becomes to find a concrete group structure ( U , G, D ) for which 
the subgroup membership and the subgroup escape problems are hard. 

We provide two instantiations of the group structure: one using groups with 
bilinear pairings, and one using elliptic curves over composite moduli. 

Why is a BCM Useful? The BCM can potentially be useful in various appli- 
cations. If signal coupons are used to encode a “1” and dummy coupons a “0” , 
then a BCM can be viewed as an OR-homomorphic bit commitment scheme. 
The BCM is indeed hiding because dummy and signal coupons appear the 
same to an outside observer. It is also binding because the sets of dummy 
and signal coupons are disjoint. In addition, the BCM’s verification function en- 
sures the commitment is authenticated. By switching signal coupons to encode 
a “0” and dummy coupons to encode a “1”, we get an AND- homomorphic bit 
commitment. As far as we know, it has not been known how to construct such 
commitments before. The BCM thus provides a missing link in protocol design. 
Using BCM together with techniques of Brassard et al. [7], we can obtain short 
non-interactive proofs of circuit satisfiability, whose length is linear in the num- 
ber of AND gates in the circuit. Other potential uses include i- voting (voting 
over the Internet) [10]. 

Spreading Alerts with the BCM. Returning to our original motivation, 
we demonstrate how a BCM can be used to propagate alerts quickly and quietly 
throughout the network. During the initial network setup, the network admin- 
istrator generates the BCM’s public and secret keys. He then distributes signal 
coupons to sentinel nodes. All other nodes receive dummy coupons. In our mech- 
anism, nodes continuously transmit either dummy or signal coupons with all 
nodes initially transmitting dummy coupons. Sentinel nodes switch to sending 
signal coupons when they detect the attacker’s presence. The BCM’s combining 
algorithm allows dummy and signal coupons to be combined so that a node can 
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propagate signal coupons without having to know that it has received any, and 
so that an attacker (who can observe all message traffic) cannot detect where or 
when signals are being transmitted within the stream of dummy messages. 

In addition, the BCM’s verification algorithm defends against Byzantine 
nodes [25]: While Byzantine nodes can replay old dummy messages instead of 
relaying signals, they cannot flood the network with invalid coupons, thereby 
preventing an alert from spreading; at worst, they can only act like crashed 
nodes. 

We prove that if the underlying BCM is secure, then the attacker cannot 
distinguish between executions where an alert was sent and executions where no 
alert was sent. The time to spread the alert to all nodes will be determined by 
the communications model and alert propagation strategy. At any point in time, 
the network administrator can sample the state of some network node and check 
if it possesses a signal coupon. 

Paper Organization. The rest of the paper is organized as follows. We begin 
with a discussion of related work in Section 2. In Section 3, we formally define 
the notion of a blind coupon mechanism and sketch an abstract group structure, 
which will allow us to implement it. Then in Section 4, we provide two concrete 
instantiations of this group structure using certain bilinear groups and elliptic 
curves over the ring Z n . In Section 5, we show how the BCM can be used to 
spread alerts quietly throughout a network. In Section 6, we analyze the hardness 
of the subgroup escape problem in the generic group model. Some of the proofs 
have been omitted due to space limitations; they can be found in the full version, 
available as a Yale CS technical report [3]. Conclusions and open problems appear 
in Section 7. 

2 Related Work 

Our motivating example of spreading alerts is related to the problem of anony- 
mous communication. Below, we describe known mechanisms for anonymous 
communication, and contrast their properties with what can be obtained from 
the blind coupon mechanism. We then discuss literature on elliptic curves over 
a ring, which are used in our constructions. 

2.1 Anonymous Communication 

Two basic tools for anonymous message transmission are DC-nets (“dining- 
cryptographers” nets) [9,19] and mix- nets [8]. These tools try to conceal who the 
message sender and recipient are from an adversary that can monitor all network 
traffic. While our algorithms likewise aim to hide who the signal’s originators 
are, they are much less vulnerable to disruption by an active adversary that can 
delay or alter messages, and they can also hide the fact that a signal is being 
spread through the network. 

DC-nets enable one participant to anonymously broadcast a message to oth- 
ers by applying a dining cryptographers protocol. A disadvantage of DC-nets for 
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unstructured systems like peer-to-peer networks is that they require substan- 
tial setup and key management, and are vulnerable to jamming. In contrast, 
the initialization of our alert-spreading application involves distributing only a 
public key used for verification to non-sentinel nodes and requires only a single 
secret key shared between the sentinels and the receiver, jamming is prevented 
by the verification algorithm, and outsiders can participate in the alert-spreading 
(although they cannot initiate an alert), which further helps disguise the true 
source. As the signal percolates across the network, all nodes change to an alert 
state, further confounding the identification of an alert’s primary source even if 
a secret key becomes compromised. 

The problem of hiding the communication pattern in the network was first 
addressed by Chaum [8], who introduced the concept of a mix, which shuffles 
messages and routes them, thereby confusing traffic analysis. This basic scheme 
was later extended in [40,39]. A further refinement is a mix-net [1,21,20], in 
which a message is routed through multiple trusted mix nodes, which try to hide 
correlation between incoming and outgoing messages. Our mechanism is more 
efficient and produces much stronger security while avoiding the need for trusted 
nodes; however, we can only send very small messages. 

Beimel and Dolev’s [4] proposed the concept of buses, which hide the mes- 
sage’s route amidst dummy traffic. They assume a synchronous system and a 
passive adversary. In contrast, we assume both an asynchronous system and very 
powerful adversary, who in addition to monitoring the network traffic controls 
the timing and content of delivered messages. 


2.2 Elliptic Curves over a Ring 

One of our BCM constructions is based on elliptic curves over the ring Z n , where 
n = pq is a product of primes. Elliptic curves over Z n have been studied for nearly 
twenty years and are used, inter alia, in Lenstra’s integer factoring algorithm [27] 
and the Goldwasser-Kilian primality testing algorithm [17]. Other works [13,23, 
31] exported some factoring-based cryptosystems (RSA [35], Rabin [34]) to the 
elliptic curve setting in hopes of avoiding some of the standard attacks. The 
security of our BCM relies on a special feature of the group of points on elliptic 
curves modulo a composite: It is difficult to find new elements of the group 
except by using the group operation on previously known elements. This problem 
has been noted many times in the literature, but was previously considered a 
nuisance rather than a cryptographic property. In particular, Lenstra [27] chose 
the curve and the point at the same time, while Demytko [13] used twists and 
^-coordinate only computations to compute on the curve without y-coordinates. 
To the best of our knowledge, this problem’s potential use in cryptographic 
constructions was first noted in [15]. 

2.3 Epidemic Algorithms 

Our alert mechanism belongs to the class of epidemic algorithms (also called 
gossip protocols) introduced in [12]. In these algorithms, each process chooses to 
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partner processes with which to communicate randomly. The drawback of gossip 
protocols is the number of messages they send, which is in principle unbounded 
if there is no way for the participants to detect when all information has been 
fully distributed. 

3 Blind Coupon Mechanism 

The critical component of our algorithms that allows information to propagate 
undetectably among the processes is a cryptographic primitive called a blind 
coupon mechanism (BCM). In Section 3.1, we give a formal definition of the 
BCM and its security properties. In Section 3.2, we describe an abstract group 
structure that will allow us to construct the BCM. 


3.1 Definitions 

Definition 1. A blind coupon mechanism is a tuple of PPT algorithms 
(G,V,C,V) in which: 

- G(l k ), the probabilistic key generation algorithm, outputs a pair of public 
and secret keys ( PK,SK ) and two strings ( d,s ). The public key defines a 
universe setUpK and a set of valid coupons Gpk ■ The secret key implicitly 
defines an associated set of dummy coupons Dsk and a set of signal 
coupons Ssk - 1 It is the case that d G Dsk and s G Ssk, Dsk C Ssk = 0, 
and Dsk U Ssk = Gpk ■ 

- V PK {y), the deterministic verification algorithm, takes as input a coupon 
y and returns 1 if y is valid and 0 if it is invalid. 

- z <— CpK{x,y), the probabilistic combining algorithm, takes as input two 
valid coupons x,y G Gpk and produces a new coupon z. The output z is a 
signal coupon (with overwhelming probability) whenever one or more of the 
inputs is a signal coupon, otherwise it is a dummy coupon (see Figure 2). 

- HsK(y), the deterministic decoding algorithm, takes as input a valid 
coupon y G Gpk ■ It returns 0 if y is a dummy coupon and 1 if y is a 
signal coupon. 

The BCM may be established either by an external trusted party or jointly 
by the application participants, running the distributed key generation protocol 
( e.g ., one could use a variant of [2]). In this paper, we assume a trusted dealer 
(the network administrator) who runs the key generation algorithm and distrib- 
utes signal coupons to the supervisor algorithms of sentinel nodes at the start 
of the system execution. In a typical algorithm, the nodes will continuously ex- 
change coupons with each other. The combining algorithm Cpk enables nodes 
to locally and efficiently combine their coupons with coupons of other nodes. 

1 Note that membership in Ssk and Dsk should not be efficiently decidable when 
given only PK (unlike membership in Gpk). However, we require that membership 
is always efficiently decidable when given SK. 
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Fig. 2. Properties of the combining algorithm 


The verification function Vpk prevents the adversary from flooding the system 
with invalid coupons and making it impossible for the signal to spread. 

For this application, we require the BCM to have certain specific security 
properties. 

Definition 2. We say that a blind coupon mechanism (G, V . C, V) is secure if 
it satisfies the following requirements: 

1. Indistinguishability: Given a valid coupon y, the adversary cannot tell 
whether it is a signal or a dummy coupon with probability better than 1/2. 
Formally, for any PPT algorithm A, 




{PK, SK, d, s)^G{l k )] 


Pr 

b = b' 

x 0 D S k', x\ Ssk', 
b {0, 1}; b' <— A(l k ,PK, d, xf) _ 

2 


2. Unforgeability: The adversary is unlikely to fabricate a signal coupon with- 
out the use of another signal coupon as input 2 . Formally, for any PPT 
algorithm A, 


Pr 


y e Ssk 


(PK,SK,d,s)^G(l k y] 
y *— A (l fe , PK, d) \ 


< negl{k) 


3. Blinding: The combination Cpx(x,y) of two valid coupons x. y looks like a 
random valid coupon. Formally, fix some pair of keys ( PK , SK ) outputted 
by G( l fc ). Let Up be a uniform distribution on Dsk and let Us be a uniform 
distribution on Ssk ■ Then, for all valid coupons x, y e Gpk, 


f Dist (C P k(%, y), U D ) = negl{k) if x,y G D SK , 

\ Dist (Cpk(x, y), Us) = negl(k) otherwise. 

(Here, Dist(A, B) d = \ Yf x \ Pr[A = x] — Pr[£? = x] \ is the statistical distance 
between a pair of random variables A, B.) 


To build the reader’s intuition, we describe a straw-man construction of a 
BCM. Suppose we are given any semantically secure encryption scheme £(■) 

2 The adversary, however, can easily generate polynomially many dummy coupons 
by using Cpk( •, •) with the initial dummy coupon d that he receives. 
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and a set-homomorphic signature scheme SIG(-) by Johnson et al. [22]. This 
signature scheme allows anyone possessing sets x, y C Z p and their signatures 
SIG(ie), SIG(?/) to compute SIG(a; U y) and SIG(w>) for any w C x. We rep- 
resent dummy coupons by a random-length vector of encrypted zeroes; e.g., 
x = (£(0), . . . ,£ (0)). The signal coupons are represented by a vector of en- 
cryptions that contains at least one encryption of a non-zero element; e.g., 
y = (£(0), . . . ,£ (0),£ (1)). To prevent the adversary from forging coupons, the 
coupons are signed with the set-homomorphic signature. The combining opera- 
tion is simply the set union: Cpk ((x, SIG(a;)), (y, SIG(y))) = (xUy, SIG(x Uy)). 
The drawback of this construction is immediate: as coupons are combined and 
passed around the network, they quickly grow very large. Constructing a BCM 
with no expansion of coupons is more challenging. We describe such a construc- 
tion next. 


3.2 Abstract Group Structure 

We sketch the abstract group structure that will allow us to implement a secure 
and efficient BCM. Concrete instantiations of this group structure are provided 
in Section 4. 

Let r = {/fc} be a family of sets of tuples (17, G, D, d , s), where 17 is a finite 
set, and G is a subset of U. G also has a group structure: it is a cyclic group 
generated by s. D is a subgroup of G generated by d, such that the factor group 
G/D has prime order G|/|G|. The orders of D and G/D are bounded by 2 k ; 
moreover, |G|/|f/| < negl(k) and |-D|/|G| < negl(k). 

Let Q' be a PPT algorithm that on input of l k samples from accord- 
ing to some distribution. We consider i* to be a probability space with this 
distribution. 

We assume there exists an efficient, deterministic algorithm for distinguishing 
elements of G from elements of 17 \ G, and an efficient algorithm for computing 
the group operation in G. 

- The key generation algorithm <J(l fe ) runs Q' to sample (17, G, D, d, s ) from 
77, and outputs the public key PK = (17, G, d, k), the secret key SK = \D\, 
as well as d and s. 

The elements of D will represent dummy coupons, the elements of G\D will 
represent signal coupons, and the elements of 17 \ G will be invalid coupons 
(see Figure 1). 

- The verification algorithm Vpx(y) checks that the coupon y is in G. 

- The combining algorithm Cpx(x,y) is simply the group operation com- 
bined with randomization. For input x,y £ G, sample ro, r% and r -2 uniformly 
at random from {0,1,..., 2 2,c — 1}, and output rod + r\x + r%y. 

- Because |7?| • y = 0 if and only if y £ D, the decoding algorithm T>sk 
checks if \D\ - y = 0. 

The indistinguishability and unforgeability properties of the BCM will de- 
pend on the hardness assumptions described below. 
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Definition 3. The subgroup membership problem for T asks: given a tuple 
( U , G, D, d, s) from T and y £ G, decide whether y £ D or y £ G\D. 

The subgroup membership problem is hard if for any PPT algorithm A, 




(U,G,D,d,s)lr k : 


Pr 

b' = b 

y 0 ^D-, yi ^G\D-, 

2 



b {0, 1}; b' A(U , G, D, d, s, y b ) . 



Various subgroup membership problems have been extensively studied in 
the literature, and examples include the Decision DifRe-Hellman problem [11], 
the quadratic residue problem [18], among others [28,31,33]. Our constructions 
however are more related to the problems described in [16,29]. 

Definition 4. The subgroup escape problem for T asks: given U, G, D and 
the generator d for D from the tuple ( U , G, D, d, s) from T, find an element 
yeG\D. 

The subgroup escape problem is hard if for any PPT algorithm A, 

Pr \y eG\D\( U ’ G ’ D ’ d ’ s '> ^ < negl(k). 

Y \y^A(U,G,D,d) \~ yK> 

The subgroup escape problem has to our knowledge not appeared in the 
literature before. It is clear that unless |G|/|C/| is negligible, finding elements of 
G\D cannot be hard. We show in Section 6 that if \G\/\U\ is negligible, the 
subgroup escape problem is provably hard in the generic model. 

We also note that the problem of generating a signal coupon from polynomi- 
ally many dummy coupons is essentially the subgroup escape problem. 

Theorem 1. Let T be as above. If the subgroup membership problem and the 
subgroup escape problem for T are hard, then the corresponding BCM is secure. 

Proof. Fix k and (U. G, D, d, s ) sampled from TV 

We prove the blinding property first, and start with the ideal case: For input 
x,y £ G, sample ro uniformly from {0, 1, . . . , \D\ — 1}, and r\ and r 2 uniformly 
from {0, 1, ... , |G/D| — 1}, and output rog + r^x + r^y. 

If x, y £ D, the product is uniformly distributed in D, since rog is. 

If x $ D, then the residue class r\x + D is uniformly distributed in G/D. 
Since ro<? is uniformly distributed in D, the product is uniformly distributed in 
G. The uniform distribution on G is D|/|G|-close to the uniform distribution 
onG\D. The same argument holds for r^y. 

Finally we note that we do not need to know \D\ or \G/D\. Since we know 
that l-D] and G/D are less than 2 fc , sampling ro,ri,r 2 uniformly from the set 

3 Henceforth, we assume that groups we operate on have some concise description, 
which can be passed as an argument to our algorithms. We also assume that group 
elements can be uniquely encoded as bit strings. 
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{0, . . . ,2 2k — 1} will produce an output distribution that is 2 _fc -close to ideal, 
which proves the bound for blinding. 

Next, we prove the indistinguishability property, so let A be an adversary 
against indistinguishability. We have a subgroup membership problem instance 
( U,G,D,d,s ) and y £ G. We construct the public key PK = ( U,G,d,k ), and 
give A as input PK, d and y. 

If A answers 1, we conclude that y £ G\D, otherwise y £ D. Whenever A 
is correct, we will be correct, so A must have negligible advantage. 

Finally, we deal with forging. Let A be an adversary against unforgeability. 
We have a subgroup escape problem instance U, G and D, and a generator d for 
D. Again we construct the public key PK = ( U,G,d,k ), and give A as input 
PK and d. 

Our output is simply M’s output. Whenever A succeeds, we will succeed, so 
A must have negligible success probability. □ 

4 Constructing the BCM 

We now give two instantiations of the abstract group structure ( U,G,D ) de- 
scribed in the previous section. First, we review some basic facts about elliptic 
curves over composite moduli in Section 4.1. Then, in Section 4.2, we describe 
our BCM construction that utilizes these curves. In Section 4.3, we describe 
an alternative BCM construction on elliptic curves equipped with bilinear pair- 
ings. These constructions can be used to undetectably transmit a one-shot signal 
throughout the network. In Section 4.4, we describe how the BCM’s bandwidth 
can be further expanded. 


4.1 Preliminaries 

Let n be an integer greater than 1 and not divisible by 2 or 3. We first intro- 
duce projective coordinates over Z n . Consider the set U of triples ( x , y, z) £ 
satisfying gcdfy, y,z,n ) = 1. Let ~ be the equivalence relation on U defined by 
(x,y,z) ~ (x',y',z') iff there exists A £ Z* such that ( x,y,z ) = (Xx',Xy',Xz'). 
Let U be the set of equivalence classes in U. We denote the equivalence class of 
(x,y,z) as (x : y : z ). 

An elliptic curve over Z n is defined by the equation 

E:Y 2 Z = X 3 + aXZ 2 + bZ 3 (mod n), 

where a,b are integers satisfying gcd(4a 2 — 27b 3 , n) = 1. The set of points on 
E/ Z„ is the set of equivalence classes (x : y : z) £U satisfying y 2 z= x 3 + axz 2 + 
bz 3 (mod n), and is denoted by E( Z„). Note that if n is prime, these definitions 
correspond to the usual definitions for projective coordinates over prime fields. 

Let p and q be primes, and let n = pq. Let E p : Y 2 Z = X 3 + a p XZ 2 + b p Z 3 
and E q : Y 2 Z = X 3 + a q XZ 2 + b q Z 3 be elliptic curves defined over F p and F,, 
respectively. We can use the Chinese remainder theorem to find a and b yielding 
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an elliptic curve E : Y 2 Z = X 3 + aXZ 2 + bZ 3 over Z„ such that the reduction 
of E modulo p gives E p and likewise for q. 

It can also be shown that the Chinese remainder theorem gives a set isomor- 
phism 

E( Z n ) ^ E p (¥ p ) X E q (¥ q ) 

inducing a group operation on E( Z„). For almost all points in E(Z„), the usual 
group operation formulae for the finite field case will compute the induced group 
operation. When they fail, the attempted operation gives a factorization of the 
composite modulus n. Unless E p ( F p ) or E q (¥ q ) has smooth or easily guessable 
order, this will happen only with negligible probability (see [14] for more details). 


4.2 BCM on Elliptic Curves Modulo Composites 

Let p , q. ii. ia, £3 be primes, and suppose we have elliptic curves E p /¥ p and E q /¥ q 
such that #E p (F p ) = and #E q (¥ q ) = £ 3 . Curves of this form can be found 
using complex multiplication techniques [5,26]. 

With n = pq, we can find E/ Z n such that #E( Z n ) = £ 1 ^ 3 - Let U be 
the projective plane modulo n, let G be E(Z n ), and let D be the subgroup of 
order I 1 I 3 . The public key is PK = ( G,D,n ), while the secret key is SK = 
(p,q,h,l 2 ,l 3 ). 4 


Verification Function For any equivalence class (x : y : z) in U, it is easy to 
decide if (x : y : z) is in E(Z n ) or not, simply by checking if y 2 z = x 3 +axz 2 + bz 3 
(mod n). 

Subgroup Membership Problem For the curve E p (¥ p ), distinguishing the 
elements of prime order from the elements of composite order seems to be hard, 
unless it is possible to factor the group order [16] . 

Counting the number of points on an elliptic curve defined over a composite 
number is equivalent to factoring the number [27,24]. Therefore, the group order 
Ep(Fp) is hidden. 

When the group order is hidden, it cannot be factored. It therefore seems 
reasonable that the subgroup of E( Z n ) of order £i£s is hard to distinguish from 
the rest of the points on the curve, as long as the integer n is hard to factor. 

Subgroup Escape Problem Anyone capable of finding a random point on 
the curve will with overwhelming probability be able to find a point outside the 
subgroup D. 

Finding a random point on an elliptic curve over a field is easy: Choose a 
random ^-coordinate and solve the resulting quadratic equation. It has rational 
solutions with probability close to 1/2. 

4 To describe groups G and D, we publish the elliptic curve equation and the generator 
for D. This gives away enough information to perform group operations in G, check 
membership in G, and generate new elements in D (but not in G) . 
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This does not work for elliptic curves over the ring Z„, since solving square 
roots modulo n is equivalent to factoring n. One could instead try to choose a 
y-coordinate and solve for the x-coordinate, but solving cubic equations in Z„ 
seems no easier than finding square roots. 

One could try to find x and y simultaneously, but there does not seem to be 
any obvious strategy. This is in contrast to quadratic curves, where Pollard [36] 
gave an algorithm to find solutions of a quadratic equation modulo a composite 
(which broke the Ong-Schnorr-Shamir signature system [32]). These techniques 
do not seem to apply to the elliptic curve case. 

Finding a lift of the curve over the integers does not seem promising. While 
torsion points are fairly easy to find, they will not exist if the curve E/h n does not 
have points of order less than or equal to 12. If we allow E/ Z„ to have points of 
small order that are easily found, we can simply include them in the subgroup D. 

Finding rational non-torsion points on curves defined over Q is certainly non- 
trivial, and seems impossibly hard unless the point on the lifted curve has small 
height [38] . There does not seem to be any obvious way to find a lift with rational 
points of small height (even though they certainly exist). 

What if we already know a set of points on the curve? If we are given P1. P2, P3 £ 
E( Z n ), we can find, unless the points are collinear, a quadratic curve 

C: YZ = aX 2 +pXZ + 'yZ 2 

defined over Z n that passes through P\, P 2 , P3. Considering divisors, it is easy to 
show that the fourth intersection point P4 is the inverse sum of the three known 
points. 

If points of the curve only yield new points via the group operation, and 
it seems hard to otherwise find points on E( Z n ), it is reasonable to assume 
that E( 7 i n ) and its subgroup, as described in the previous section, yield a hard 
subgroup escape problem. 

4.3 BCM on Groups with Bilinear Pairings 

Let p, £1, £2, and £3 be primes such that p+1 = 6£i£ 2£3, and p= 2 (mod 3). Here, 
h,l2, h must be distinct and larger than 3. The elliptic curve E : Y 2 = X 3 + 1 
defined over F p is supersingular and has order p+1. Because F* 2 has order 
p 2 — 1 = (p+ l)(p— 1), there is a modified Weil pairing e : E(F p ) x E( F p ) — > F* 2 . 
This pairing is known to be bilinear: e(aP, bQ ) = e(P, Q) ab for all P,Q £ E(F p ) 
and a,b £ Z p . It can be computed as described in [6]. 

Let U = E(¥ p ), and let G and D be the subgroups of E(F p ) of order £i£ 2 and 
£1, respectively. We also let P be a point in E(¥ p ) of order 6 £i£ 2£3, and let R be a 
point of order 6£3 in E(¥ p ), say R = l^l^P- The public key is PK = (G, D,p, R) 
and the secret key is SK - (l\ , R- £3). The pairing e allow us to describe G in 
the public key without giving away secret information. 

Verification Function. We claim that for any point Q £ E(¥ p ), Q £ G if 
and only if e(Q, R) is equal to 1. If Q £ G, then Q has order £i£ 2 and for some 
integer s, Q = Gs^P. Then 
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e{Q,R) = e (6 s£ 3 P,ixi 2 P) = e{P,P) 6seMa = 1 . 

So the point R and the pairing e allows us to determine if points are in G or in 
U\G. 

Subgroup Membership Problem. Distinguishing the subgroup D (the points 
of order £\) from G (the points of order fy£ 2 ) can easily be done if the integer 
Aifyfy can be factored. In general, factoring seems to be the best way to distin- 
guish the various subgroups of E(¥ p ). 

Because we do not reveal any points of order i 2 or fyfy, it seems impossible 
to use the pairing to distinguish the subgroup D in this way. (Theorem 1 of [ 16 ] 
assumes free sampling of any subgroup, which is why it and the pairing cannot 
be used to distinguish the subgroups of E(¥ p ).) It therefore seems reasonable to 
assume that the subgroup membership problem for G and D is hard, which will 
provide indistinguishability. 

Subgroup Escape Problem. For a general cyclic group of order tint's, it is 
easy to find elements of order fyfy if £3 is known. Unless £3 is known, it is hard 
to find elements of order fyfy, and knowing elements of order l\ does not help. 

For our concrete situation, factoring the integer l\ fyfy into primes seems to 
be the best method for solving the problem. If the primes £1, £2 and £3 are 
chosen carefully to make the product fy£ 2 £3 hard to factor, it seems reasonable 
to assume that the subgroup escape problem for U, G and D is hard. 


4.4 Extending the BCM’s Bandwidth 

The blind coupon mechanism allows to undetectably transmit a single bit. Al- 
though this is sufficient for our network alert application, sometimes we may 
want to transmit longer messages. 

Trivial Construction. By using multiple blind coupon schemes over different 
moduli in parallel, we can transmit longer messages. Each m-bit message x = 
xi . . . x rn is represented by a vector of coupons (ci, . . . , c 2m ), where each c* is 
drawn from a different scheme. Each processor applies his algorithm in parallel 
to each of the entries in the vector, verifying each coupon independently and 
applying the appropriate combining operation to each c*. 

A complication is that an adversary given a vector of coupons might choose 
to propagate only some of the Cj, while replacing others with dummy coupons. 
We can enable the receiver to detect when it has received a complete message by 
representing each bit Xi by two coupons: c 2 *_ 1 (for Xi = 0) and c 2 , (for Xi = 1). 
A signal coupon in either position tells the receiver both the value of the bit and 
that the receiver has successfully received it. 

Alas, we must construct and run i?(m) blind coupon schemes in parallel to 
transmit m bits. 
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Better Construction. Some additional improvements in efficiency are pos- 
sible. As before, our group structure is ( U,G,D ). Suppose our cyclic group G 
has order noPi ■ ■ ■ p m , where Pi are distinct primes. Let D be the subgroup of G 
of order no- 

An m-bit message x = X\ . . . x m is encoded by a coupon y £ G, whose order 
is divisible by fli x =1 Pi- F° r *> we can find an element g t G G of order noPi- 
We can thus let y = g[ lXl ■ ■ ■ g^ Xrn for random n, . . . , r m € {0, 1, . . . , 2 2fe — 1}. 

When we combine two coupons yi and y- 2 , it is possible that the order of 
their combination Cpx(yi, 2 / 2 ) is less than the l.c.m. of their respective orders. 
However, if the primes Pi are sufficiently large, this is unlikely to happen. 

In Section 4.2, n 0 is a product of two moderately large primes, while the other 
primes can be around 2 80 . For the construction from Section 4.3, no is prime, 
but every prime must be fairly large to counter elliptic curve factorization. 

This technique allows us to transmit messages of quite restricted bandwidth. 
It remains an open problem whether some other tools can be used to achieve 
higher capacity without a linear blow-up in message size. 

5 Spreading Alerts with the BCM 

In this section, we show how the BCM can be used to spread an alert quietly 
and quickly throughout a network. 

To summarize these results briefly, we consider a very general message- 
passing model in which each node Pj has a “split brain,” consisting of an update 
algorithm Ui that is responsible for transmitting and combining coupons, and 
a supervisor algorithm Si that may insert a signal coupon into the system 
at some point. The supervisor algorithm Si of sentinel nodes initially hands 
out dummy coupons until attacker’s presence is detected when it switches to 
sending signal coupons. Meanwhile, regular nodes’ Si always doles out dummy 
coupons. The update algorithm U t in each node may behave arbitrarily; the 
intent is that it represents an underlying strategy for spreading alerts whose 
actions do not depend on whether the process is transmitting a dummy or signal 
coupon. 

The nodes carry out these operations under the control of a PPT attacker 
A (who wants to remain undetectable) that can observe all the external op- 
erations of the nodes and may deliver any message to any node at any time, 
including messages of its own invention. (To save space, we omit a formal de- 
scription of the model from this extended abstract, deferring details to the full 
paper.) 

We show first that, assuming the BCM is secure, the attacker can neither 
detect nor forge alerts (with non-negligible probability) despite its total control 
over message traffic. This result holds no matter what update algorithm is used 
by each node; indeed, it holds even if the update half of each node colludes 
actively with the adversary. We then give examples of some simple strategies for 
spreading an alert quickly through the network with some mild constraints on 
the attacker’s behavior. 
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5.1 Security 

Let us begin with the security properties we want our alert-spreading mechanism 
to have. In the following, we let c\ be the indicator variable for the event that the 
supervisor half of node Pi supplies a signal coupon at time t. (This is the only in- 
formation we need about the behavior of Si.) We write F(PK. SK, A , {Hi}, {cf}) 
for the probability distribution on protocol executions given the specified public 
key, secret key, attacker, update algorithms, and supervisor behaviors. 

Definition 5. A set of update algorithms {Ui} is secure if, for any adversary 
algorithm A, and any T = poly(k), we have: 

1. Undetectability: Given two distributions on executions, one in which no 
signal coupons are injected by supervisors and one in which some are, the 
adversary cannot distinguish between them with probability greater than 1/2. 
Formally, let c®’* = 0 for all i, t and let c]’* be arbitrary. Then for any 
PPT algorithm T>, 




{PK,SK,d,s)^g{ l fc ); 


Pr 

b = b' 
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2. Unforgeability: The adversary cannot cause any process to transmit a sig- 
nal coupon unless one is supplied by a supervisor. Formally, if c\ =0 for all 
i, t, then there is no PPT algorithm A such that 


Pr 


,c) e£A(ce Ssk) 
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Security of the alert-spreading mechanism follows immediately from the se- 
curity of the underlying blind coupon mechanism. The essential idea behind 
undetectability is that because neither the adversary nor the update algorithms 
can distinguish between dummy and signal coupons distributed by the supervi- 
sor algorithms, there is no test that can detect their presence or absence. For 
unforgeability, the inability of the adversary and update algorithms to generate a 
signal coupon follows immediately from the unforgeability property of the BCM. 


Theorem 2. An alert- spreading mechanism is secure if the underlying blind 
coupon mechanism is secure. 

Proof (sketch). We show first undetectability and then unforgeability. 


Undetectability. Suppose that the alert-spreading mechanism does not satisfy 
undetectability, i.e. that there exists a set of update algorithms {Ui}, an adver- 
sary A, and pattern {c]’*} of signal coupons that can be distinguished from only 
dummy coupons by some PPT algorithm T> with non-negligible probability. 
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Let us use this fact to construct a PPT algorithm B that violates indistin- 
guishability. Let y be the coupon input to B. Then B will simulate an execution £ 
of the alert-spreading protocol by simulating the adversary A and the appropri- 
ate update algorithm Ui at each step. The only components of the protocol that 
B cannot simulate directly are the supervisor algorithms S u because B does not 
have access to signal coupons provided to the supervisor algorithms of sentinel 
nodes. But here B lets cf = C(d, d) when c]'* = 0 and lets c\ = C(y,y ) when 

= 1. By the blinding property of the BCM, if y £ Dsk, then all coupons cf 
will be statistically indistinguishable from uniformly random dummy coupons, 
giving a distribution on executions that is itself statistically indistinguishable 
from 3 (PK, SK, A, {Hi}, {c°’*} j . If instead y £ Ssk, then c\ will be such that 
the resulting distribution on executions will be statistically indistinguishable 
from 3 ^ PK , SK, A, {Ui}, {q ’*} j . It follows from the indistinguishability prop- 
erty of the BCM that no PPT algorithm V can distinguish between these two 
distributions with probability greater than 1/2 + negl{k). 

Unforgeability. The proof of unforgeability is similar. Suppose that there is 
some adversary and a set of update functions that between them can, with non- 
negligible probability, generate a signal coupon given only dummy coupons from 
the supervisor algorithms. Then a PPT algorithm B that simulates an execution 
of this system and returns a coupon obtained by combining all valid coupons 
sent during the execution forges a signal coupon with non-negligible probability, 
contradicting the unforgeability property of the BCM. 

□ 

5.2 Performance 

It is not enough that the attacker cannot detect or forge alerts: a mechanism 
that used no messages at all could ensure that. To ensure that all non-faulty 
nodes eventually receive an alert, we must specify both a strategy for the nodes’ 
update algorithms and place restrictions on the attacker’s ability to discard 
messages. In the full paper, we give two simple examples of how alerts might be 
spread in practice: a synchronous flooding algorithm that spreads an alert to all 
nodes in time proportional to the diameter of the network (after removing faulty 
nodes), and a simple asynchronous epidemic algorithm that spreads the alert in 
time 0(n log n) in a complete network of n nodes, where at most a constant 
fraction of nodes is faulty. In each case the behavior of the update algorithms 
is straightforward: invalid incoming coupons are discarded, while valid incoming 
coupons are combined with previous coupons. 

6 Generic Security of the Subgroup Escape Problem 

We prove that the subgroup escape problem is hard in the generic group 
model [37] when the representation set is much larger than the group. 

Let G be a finite cyclic group and let U C {0, 1}* be a set such that \U\ > \G\. 
In the generic group model, elements of G are encoded as unique random strings. 
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We define a random injective function a : G — > U, which maps group elements 
to their string representations. Algorithms have access to an oracle that on input 
of x ± y returns cr(u -1 ( x) ± a~ 1 (y)) when both x, y G cr(G) C U, and otherwise 
the special symbol _L. An algorithm can use the oracle to decide whether x £ U 
is in a(G) or not by sending the query x + x to the oracle. If x a(G), the reply 
will be _L. 


Theorem 3. Let D be a subgroup of G CU. Let g be a generator of D. Let A 
be a generic algorithm that solves the subgroup escape problem. If A makes at 
most q queries to the group oracle, then 

Pr[yeG\D | A(l fe , v(g)) = a{y)\ < ■ 

Proof. The algorithm can only get information about a through the group oracle. 
If the input to the oracle is two elements known to be in cr(-D), then the adversary 
learns a new element in <j(D). 

To have any chance of finding an element of a(G \ D), the adversary must 
use the group oracle to test elements that are not known to be in a(D). 

Suppose that after i queries, the adversary knows a elements in <j(D) and b 
elements of U \ cr(G) (a + b < i). For any z outside the set of tested elements, 
the probability that z G a{G \ D) is exactly (\G\ — \D\)/(\U\ — b) (note that it 
is independent of a). 

Therefore, the probability that the adversary discovers an element in a(G\D) 
with i+ 1 query is at most (|G| — |D|)/(|t/|— i). For up to q queries , the probability 
that at least one of the tested elements are in a(G \ D ) is at most 


V |G| - PI 

tl \ U \~ l 


<q- 


IC1-PI 

\U\-q 


For a sufficiently large universe U, this probability is negligible. □ 


7 Conclusion 

We have defined and constructed a blind coupon mechanism, implementing a 
specialized form of a signed, AND-homomorphic encryption. Our proofs of se- 
curity are based on the novel subgroup escape problem, which seems hard on 
certain groups given the current state of knowledge. Our scheme can be instanti- 
ated with elliptic curves over Z„ of reasonable size which makes our constructions 
practical. We have demonstrated that the BCM has many natural applications. 
In particular, it can be used to spread an alert undetectably in a variety of 
epidemic-like settings despite the existence of Byzantine processes and a power- 
ful, active adversary. 
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Abstract. We introduce the first El Gamal based mix- net in which 
each mix-server partially decrypts and permutes its input, i.e., no re- 
encryption is necessary. An interesting property of the construction is 
that a sender can verily non-interactively that its message is processed 
correctly. We call this sender verifiability. 

The mix-net is provably UC-secure against static adversaries corrupt- 
ing any minority of the mix-servers. The result holds under the decision 
Diffie-Hellman assumption, and assuming an ideal bulletin board and an 
ideal zero-knowledge proof of knowledge of a correct shuffle. 

Then we construct the first proof of a decryption-permutation shuffle, 
and show how this can be transformed into a zero-knowledge proof of 
knowledge in the UC- framework. The protocol is sound under the strong 
RSA-assumption and the discrete logarithm assumption. 

Our proof of a shuffle is not a variation of existing methods. It is based 
on a novel idea of independent interest, and we argue that it is at least 
as efficient as previous constructions. 

1 Introduction 

The notion of a mix-net was invented by Chaum [10]. Properly constructed a 
mix-net takes a list of cryptotexts and outputs the cleartexts permuted using a 
secret random permutation. Usually a mix-net is realized by a set of mix-servers 
organized in a chain that collectively execute a protocol. Each mix-server receives 
a list of encrypted messages from the previous mix-server, transforms them, using 
partial decryption and/or random re-encryption, reorders them, and outputs the 
result. The secret permutation is shared by the mix-servers. 

1.1 Previous Work 

Chaum’s original “anonymous channel” [10,40] enables a sender to send mail 
anonymously. When constructing election schemes [10, 17, 42, 47, 39] a mix-net 
can be used to ensure that the vote of a given voter cannot be revealed. Abe gives 
an efficient construction of a general mix-net [2] , and argues about its properties. 
Jakobsson has written (partly with Juels) more general papers on the topic of 
mixing [30,31,32] focusing on efficiency. There are two known approaches to 
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proving a correct shuffle efficiently. These are introduced by Furukawa et al. 
[19,20,21], and Neff [37,38] respectively. Groth [27] generalizes Neff’s protocol 
to form an abstract protocol for any homomorphic cryptosystem. 

Desmedt and Kurosawa [13] describe an attack on a protocol by Jakobsson 
[30]. Similarly Mitomo and Kurosawa [36] exhibit a weakness in another pro- 
tocol by Jakobsson [31]. Pfitzmann has given some general attacks on mix-nets 
[44, 43] , and Michels and Horster give additional attacks in [35] . Wikstrom [48] 
gives several attacks for a protocol by Golle et al. [26]. He also gives attacks 
for the protocols by Jakobsson [31] and Jakobsson and Juels [33]. Abe [3] has 
independently found related attacks. 

Canetti [9] , and independently Pfitzmann and Waidner [45] proposed security 
frameworks for reactive processes. We use the former universal composability 
(UC) framework. Both frameworks have composition theorems, and are based 
on older definitional work. The initial ideal-model based definitional approach 
for secure function evaluation is informally proposed by Goldreich, Micali, and 
Wigderson in [22]. The first formalizations appear in Goldwasser and Levin [24], 
Micali and Rogaway [34], and Beaver [5]. See [8,9] for an excellent background 
on these definitions. 

Wikstrom [49] defines the notion of a mix-net in the UC-framework, and 
provides a construction that is provably secure against static adversaries under 
the decisional Diffie-Hellman assumption. The scheme is practical only when the 
number of mix-servers is small. 


1.2 Contributions 

We introduce a new type of El Gamal based mix-net in which each mix-server 
only decrypts and permutes its input. No re-encryption is necessary. This allows 
an individual sender to verify non-interactively that its message was processed 
correctly, i.e., the scheme is sender verifiable. Although some older constructions 
have this property, our is the first provably secure scheme. 

Then we give the first proof of a decrypt-permutation shuffle of El Gamal 
cryptotexts. There are two known approaches, [37, 27] and [19], to construct such 
a protocol, but our solution is based on a novel idea of independent interest, and 
we argue that it is at least as efficient as previous schemes. 

We also give the first transformation of a proof of a shuffle into an efficient 
zero-knowledge proof of knowledge in the UC-framework. An important technical 
advantage of the new decrypt and permute construction is that witnesses are 
much smaller than for previous shuffle relations. 

Combined, our results give a mix-net that is provably UC-secure against 
static adversaries corrupting any minority of the mix-servers. The mix-net is 
efficient for any number of mix-servers, improving the result in Wikstrom [49]. 


1.3 Outline of the Paper 

The paper is organized as follows. Notation is introduced in Section 2. In Section 
3 we define the ideal mix-net functionality. A partial result in this direction is 
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given in Section 4, where we describe a sender verifiable mix-net and discuss sender 
verifiability. In Section 5 we describe a zero-knowledge proof of knowledge that a 
mix-server processes its input correctly. Then in Section 6 we transform this into a 
realization of an ideal zero- knowledge functionality in the UC-framework. Proofs 
of all claims are given in the full version [50] of this paper. 

2 Notation 

Throughout, Si , . . . , Sn denote senders and Mi, . . . , M k mix-servers. All partic- 
ipants are modeled as interactive Turing machines. We abuse notation and use 
Si and Mj to denote both the machines themselves and their identity. We denote 
the set of permutations of N elements by V,y. We use the term “randomly” in- 
stead of “uniformly and independently at random”. A function / : N — > [0, 1] is 
said to be negligible if for each c > 0 there exists a Kq e N such that f(K) < K~ c 
for K > Ko £ N. A probability p{K) is overwhelming if 1 — p(K) is negligible. 

We assume that G q is a group of prime order q with generator g for which 
the Decision Diffie-Hellman (DDH) Assumption holds. Informally, it means that 
it is infeasible to distinguish the distributions (<?“, g 13 , g al3 ) and (g a , g 13 , g 1 ) when 
a, f3, 7 S Z q are randomly chosen. This implies that also the Discrete Logarithm 
(DL) assumption holds, namely that it is infeasible to compute the logarithm 
in base g of a random element in G q . For concreteness we let G q be a subgroup 
of prime order q of the multiplicative group Z* for some prime p. When we say 
that an element in Z q is prime, we mean that its representative in {0, . . . , q— 1} 
is a prime when considered as an integer. 

We review the El Gamal [14] cryptosystem employed in G q . The private key 
x is generated by choosing x e Z g randomly. The corresponding public key is 
(. g,y ), where y = g x . Encryption of a message m € G q using the public key (g, y) 
is given by E( g ^(m,r) = ( g r ,y r m ), where r is chosen randomly from Z g , and 
decryption of a cryptotext on the form (u,v) = ( g r ,y r m ) using the private key 
x is given by D x (u, v ) = u~ x v = m. 

We also use an RSA modulus N = pq, where p and q are safe primes. 
We denote by QR N the group of squares in Z^ and adopt the convention that 
any element b in QR N is written in boldface. We assume that the strong RSA- 
assumption holds for such rings. Informally, it means that given random (N, h), 
where h g QR N , it is infeasible to find a non-trivial eth root b of h, i.e., an 
±1 such that b e = h. This differs from the RSA-assumption in that e is not 
fixed. 

The primary security parameter K\ is the number of bits in q. Several other 
security parameters are introduced later in the paper. We denote by PRG a 
pseudo-random generator (cf. [23]). We denote by Sort the algorithm that given 
a list of strings as input outputs the same set of strings in lexicographical order. 


2.1 The Universally Composable Security Framework 

We analyze the security of our protocols in the Universally Composable (UC) 
security framework of Canetti [9]. There are several variants and extensions of 



276 D. Wikstrom 


this framework, but we consider a plain model with asynchronous authenticated 
communication. In the full version [50] we give a formal definition of this model. 
Here we only indicate how our notation differs from the standard [9] . 

The notion of a communication model, Cp, used below is not explicit in 
Canetti [9]. It works as a router between participants and between participants 
and ideal functionalities. Given the input ((A\,B\,C\, (A S ,B S , C s , . . .) 
it interprets Aj as the receiver of ( Bj,Cj , . . .). The adversary cannot read the 
correspondence with ideal functionalities, but it has full control over when a 
message is delivered. 

Our results hold for both blocking and non-blocking adversaries, where a 
blocking adversary is allowed to block the delivery of a message indefinitely. 

Definition 1. We define At; to be the set of static adversaries that corrupt 
less than l out of k participants of the mix-server type, and arbitrarily many 
participants of the sender type. 

Throughout we implicitly assume that a message handed to an ideal functional- 
ity that is not on the form prescribed in its definition is returned to the sender 
immediately. In particular this includes verifying membership in G q when ap- 
propriate. We use the same convention for definitions of protocols. 

3 The Ideal Mix-Net 

Although other definitions of security of mix-nets have been proposed, the most 
natural definition is given by Wikstrom [49] in the UC-framework. He formalizes 
a trusted party that waits for messages from senders, and then when a majority of 
the mix-servers request it, outputs these messages but in lexicographical order. 
For simplicity it accepts only one input from each sender. We prove security 
relative this functionality. 

Functionality 1 (Mix-Net). The ideal functionality for a mix-net, Fmni run- 
ning with mix-servers Mi, . . . , M*,, senders Sj , . . . , .S'yv , and ideal adversary S 
proceeds as follows 

1. Initialize a list L = 0, and set Jp = 0 and Jm = 0- 

2. Repeatedly wait for new inputs and do 

(a) Suppose (S'*, Send, to*), to* € G q , is received from Cp. If i J P , set 
J P <— J P U {'<}, and append rri, to L. Then hand {S, S, , Send) to Cp. 

(b) Suppose (Mj, Run) is received from Cp. Set Jm <— Jm U {j}. If Jm > 
k/ 2, then sort the list L lexicographically to form a list L', hand 

((<S, Mj, Output, L'), {(Mi, Output, I/)}f =1 ) to Cp and ignore further 
messages. Otherwise, hand Cp the list (S, Mj, Run). 

4 A Sender Verifiable El Gamal Based Mix-Net 

In recent El Gamal based mix-nets, e.g. [38, 20, 49], the mix-servers form a chain, 
and each mix-server randomly permutes, partially decrypts, and re-encrypts the 
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output of the previous mix-server. In older constructions decryption is instead 
carried out jointly at the end of the chain. Our construction is different in that 
each mix-server partially decrypts and sorts the output of the previous mix- 
server. Thus, no cryptotext is re-encrypted and the permutation is not random, 
but determined by the lexicographical order of the cryptotexts. 

Let us consider why re-encryption is often considered necessary. In several 
previous mix-nets each mix-server My holds a secret key Xj £ Z q corresponding 
to a public key y 3 = g Xj . A joint public key y = riy=i Vi used by a sender S* 
to compute a cryptotext (uo,»>uo,») — (v Ti , l/^H) of a message to* for a random 
ri £ Z g . The mix-servers take turns and compute 

(«W» ( II «) v i-h^/ u ?-i ,^«)) ._ x ’ 

for random syy £ Z q and Try £ Tfy, i.e., each mix-server permutes, partially 
decrypts and re-encrypts its input. In the end (v k ,i)iLi = (jn w (»))£Li for some 
random joint permutation n. The reason that re-encryption is necessary with 
this type of scheme is that otherwise the first component Uog of each cryptotext 
remains unchanged during the transformation, which allows anybody to break 
the anonymity of all senders. For the older type of construction it is obvious why 
re-encryption is necessary. 


4.1 Our Modification 


We modify the El Gamal cryptosystem to ensure that also the first component 
uj - is changed during partial decryption. Each mix-server is given a secret key 
( vjj , Xj) £ and a corresponding public key ( Zj,yj ) = (g Wj , g Xj j . To partially 
decrypt and permute its input it computes 


(1) 


from Lj i, and sorts the result lexicographically. The result is denoted by Ly = 
(ujj,Vj t i)iL 1 . Note that both components of each cryptotext are transformed 
using the secret key of the mix-server. For this transformation to make any 
sense we must also modify the way the joint key is formed. We define 

(Z k+1 ,Y k+1 ) = (g, 1) and (Zy,Fy) = (^ 1 ,yy +1 Z^ 1 ) . (2) 

The joint keys must be computed jointly by the mix-servers. A sender en- 
crypts its message using the public key (ify Yi), i.e., (uog,vo t i) = (Zp,Ypnii) 
for some random ry. The structure of the keys are chosen such that a crypto- 
text on the form (uy-iy, Wy-iy) = ( Zp,Yprrii ) given as input to mix-server My 
satisfies 

( u '/"u- r j = (Z^^Zp^rm) 

= ((Zy^r^YjZp^pmi) = . 
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Thus, each mix-server Mj transforms a cryptotext (uj- i,i, encrypted 

with the public key ( Zj,Yj ) into a cryptotext (u hl , Vjj) encrypted with the public 
key (Zj + i,Yj + i). Note that Sort({ufc )i }-^ 1 ) = Sort^m,}^), since Y ^+ 1 = 1. 

There are several seemingly equivalent ways to set up the scheme, but some 
of these do not allow a reduction of the security of the mix-net to the DDH- 
assumption. The relation in Equation (1) is carefully chosen to allow a reduction. 


4.2 Sender Verifiability 

An important consequence of our modification is that a sender can compute 
m* , Yj^rrii) and verify that this pair is contained in L :] for j = 1 ..... fc. 
Furthermore, if this is not the case the sender can easily prove to any outsider 
which mix-server behaved incorrectly. We call this sender verifiability, since it 
allows a sender to verify that its cryptotext is processed correctly by the mix- 
servers. This is not a new property. In fact Chaum’s original construction [10] 
has this property, but our construction is the first provably secure scheme with 
this property. 

We think that sender verifiability is an important property that deserves 
more attention. The verification process is unconditional and easily explained 
to anybody with only a modest background in mathematics, and a verification 
program can be implemented with little skills in programming. This means that 
in the main application of mix-nets, electronic elections, a sender can convince 
herself that her vote was processed correctly. We stress that this verification does 
not guarantee anonymity or correct processing of any other cryptotext. Thus, a 
proof of the overall security of the mix-net is still required. 

The reader may worry that sender verifiability allows a voter to point out 
its vote to a coercer. This is the case, but the sender can do this in previous 
mix-nets as well by pointing at its message in the original list L 0 of cryptotexts 
and revealing the randomness used during encryption, so this problem is not 
specific to our scheme. Furthermore, our scheme becomes coercion-free whenever 
the sender does not know the randomness of its cryptotext, as other El Gamal 
based mix-nets, but sender verifiability is then lost. 

4.3 A Technical Advantage 

There is also an important technical consequence of the lack of re-encryption in 
the mixing process. The witness of our shuffle relation consists of a pair ( Wj,Xj ), 
which makes it easy to turn our proof of knowledge into a secure realization of 
the ideal functionality . This should be contrasted with all previous shuffle 
relations, where the witness contains a long list of random exponents used to 
re-encrypt the input that must somehow be extracted by the ideal adversary in 
the UC-setting. 

A potential alternative to our approach is to formalize the proof of a shuffle as 
a proof of membership [7] in the UC-framework. However, a proof of membership 
is not sufficient for the older constructions where decryption is carried out jointly 
at the end of the mixing chain. The problem is that the adversary could corrupt 
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the last mix-server M k and instruct it to output Lq instead of a re-encryption and 
permutation of L k -\. This would obviously break the anonymity of all senders. 
The malicious behavior is not detected, since the ideal proof of membership only 
expects an element in the language and no witness from corrupted parties, and 
Lq is a re-encryption and permutation of Tfc_i. Interestingly, it seems that the 
adversary cannot attack the real protocol if the proof of membership of a correct 
shuffle is implemented using a proof of knowledge in the classical sense. 

It is an open question if a proof of membership suffices for mix-nets where 
each mix-server partially decrypts and then re-encrypts and permutes its input. 

4.4 Preliminaries 

We describe the mix-net in a hybrid model as defined in the UC-framework. This 
means that the mix-servers and senders have access to a set of ideal function- 
alities introduced in this section. We assume the existence of an authenticated 
bulletin board. All parties can write to it, but no party can erase any message 
from it. A formal definition is given in [49,50]. We also assume an ideal func- 
tionality corresponding to the key set-up sketched in Section 4.1. This is given 
below. 

Functionality 2 (Special El Gamal Secret Key Sharing). The ideal Spe- 
cial El Gamal Secret Key Sharing over G q , Esks, with mix-servers Mi, . . . , M k , 
senders Si , . . . , Sn, and ideal adversary S. 

1. Initialize sets Jj = 0 for j = 0 , ... ,k. 

2. Until | J 0 1 = k, repeatedly wait for inputs. If (Mj, MyKey, Wj,Xj) is received 
from Cx such that Wj,Xj £ Z g and j £ Jo- Set Jo <— Jo U {j} compute 
Zj = g Wj and yj = g Xj , and hand (5, PublicKey, Mj,Wj,Zj) to Cx- 

3. Set (Z k+u Y k+1 ) = (g, 1) and (Zj,Y s ) = {Z™i x ,Y j+l Z%J, Then hand 
((5, PublicKeys^Z,-, Y jt Zj, Uj %^,{{Si, PublicKeys, {Zj,Yj,z } , Vj %i)}?=i, 
{{M u Keys, w t , x b {Zj,Yj, Zj,yj)^ =1 )}f =1 ) to C x . 

4. Until | Jo | = k, repeatedly wait for inputs. If (Mj, Recover, M/) is received 
fromCx, set J; <— JjUjy}. If | Jj| > k/2, then hand ((S, Recovered, Mi,wi,x{), 
{{Mj, Recovered, Mi, wi, xi)}j =1 ) to Cx, and otherwise hand 

{S, Mj, Recover, Mj) to Cx- 

The above functionality can be securely realized by letting each mix-server 
secret share its secret key using Feldman’s [15] verifiable secret sharing scheme. 
Note that the functionality explicitly allows corrupted mix-servers to choose 
their keys in a way that depends on the public keys of uncorrupted mix-servers. 
The special joint keys would then be computed iteratively using Equation (2), 
and during this process each mix-server would prove that it does this correctly 
using standard methods. 

Each mix-server partially decrypts each cryptotext and sorts the resulting 
cryptotexts. Thus, proving correct behavior corresponds to proving knowledge 
of a secret key (w, x) such that the cryptotexts (v,i,Vi) input to a mix-server are 
related to the cryptotexts {u' l ,v' i ) it outputs by the following relation. 



280 D. Wikstrom 


Definition 2 (Knowledge of Correct Decryption- Permutation). Define 
for each N a relation P D p C {G 3 q x G 2 q N x G q N ) x (Z, x Z,), by 

((<?, z, y, {(«,, {K, u')}^), K *)) G Pdp 

precisely when z = g w , y = g x and ( u [, v'f) = (uMT, (i) u w(i) W ) f or * = 1, • . . , AT 
and it £ Sn such that the list is sorted lexicographically. 

To avoid a large class of “relation attacks” [44, 43, 48] no sender can be al- 
lowed to construct a cryptotext of a message related to the message encrypted 
by some other sender. Thus, each sender is required to prove knowledge of the 
randomness it uses to form its cryptotexts. This corresponds to the following 
relation. 

Definition 3 (Knowledge of Cleartext). Define a relation Rc C G q x Z q 

by (( Z , Y, u, v),r) £ Rc precisely when log z u = r. 

Formally, we need a secure realization of the following functionality parame- 
terized by the above relations. 

Functionality 3 (Zero-Knowledge Proof of Knowledge). Let £ be a lan- 
guage given by a binary relation R. The ideal zero-knowledge proof of knowledge 
functionality of a witness w to an element x £ C, running with parties 

Pl,-..,Pk 

1. Upon receipt of (P*,Prover, x,w) from Ci, store w under the tag (Pi,x), 
and hand ( S , P i; Prover, x, R(x, w)) to C%. 

2. Upon receipt of (Mj, Question, Pj, x) from Cx, let w be the string stored 
under the tag (Pi,x) (the empty string if nothing is stored), and hand 
((S, Mj, Verifier, Pj,£, R(x,w)), (Mj, Verifier, Pj, R(x,w))) to Cx- 

In [49] a secure realization -kc of P^k i s given, under the DDH-assumption, 
which is secure against M /^-adversaries. 

The functionality is securely realized in Section 6. 


4.5 The Mix-Net 

We now give the details of our mix-net. It executes in a hybrid model with access 
to the ideal functionalities described above. 

Protocol 1 (Mix-Net). The mix-net protocol 7Tmn = (Si, . . . , Sn, Mi, . . . , M k ) 
consists of senders Si, and mix-servers Mj. 

Sender Si. Each sender Si proceeds as follows. 

1. Wait for (PublicKeys ,(Zj,Yj,Zj,yj)j =1 ) from Psks- 

2. Wait for an input (Send, mi), rrii £ G q . Then choose rj £ Z q randomly and 
compute (ui,Vi) = E( Zl ,Y 1 )( m i, r i) = ,Ypmi). Then hand 

(Prover, (Z\, Y\, Ui, vf), rf) to P^ki an d hand (Write, (uj,Uj)) to Pbb- 



A Sender Verifiable Mix-Net and a New Proof of a Shuffle 281 


Mix-Server M 3 . Each mix-server M. } proceeds as follows. 

1. Choose Wj,Xj £ randomly and hand (MyKey, Wj, Xj) to ^sks- 

2. Wait for (Keys,(wj,Xj),(Zj,Yj,Zj,yj)^ =1 ) from .Fsks, where Wj,Xj £ Z q 
and Zj , Yj , Zj , y 3 £ G q . 

3. Wait for an input (Run), and then hand (Write, Run) to Fbb- 

4. Wait until more than k/2 different mix-servers have written Run on !Fbb, 
and let the last entry of this type be (c Run , Mi, Run). 

5. Form the list L* = {(w 7 , n 7 )} 7 eJ»> for some index set /*, by choosing for 
7 = 1, . . . , N the entry (c,S 7 , (w 7 ,v 7 )) on .F B b with the smallest c < c run 
such that Ury , v 7 £ G q , if present. 

6 . For each 7 6 /* do the following, 

(a) Hand (Question, S 1 , (Z\, Yi, u 7 ,v 7 )) to 

(b) Wait for (Verifier, S 7 , b 7 ) from . 

Then form Lq = {(uo,j 5 W,i)}^Li consisting of pairs (u 7 , v 7 ) such that b 7 = 1. 

7. For l = 1, . . . , k do 

(a) If 1 7 ^ j, then do 

i. Wait until an entry (c, Mi, (List, L{)) appears on Tbb, where L; is 

on the form for u^i,vi t i £ G q . 

ii. Hand (Question, Mi, (g, zi, yi, T;_i, Lf)) to , and wait for 
(Verifier, Mi, bf) from . 

iii. If bi = 0, then hand (Recover, Mi) to TskS; and wait for 
(Recovered, Mi, (wi,xi)) from Tsks- Then compute 

U = {{ui t i,vi,i)}i =1 = Sort ( { - 1 , * u 7 -i [r * ) } £1 ) • 

(b) If l = j, then compute 

Lj = 1 = Sort({(^, Vj - lt , 

Finally hand (ProveT,(g,Zj,yj,Lj_i,Lj),(wj,Xj)) to , and hand 
(Write, (List, Lj)) to ^bb- 

8 . Output (Output, Sortdv^j}^)). 

Theorem 1. The ideal functionality !Fmn is securely realized by 7Tmn in the 
(Fbb , ^sks , ^zk , P ) -hybrid model with respect to M.^/ 2 -adversaries under 

the DDH-assumption in G q . 

5 A New Efficient Proof of a Shuffle 

We want to securely realize the ideal functionality T^? p . It turns out that a 
useful step in this direction is to construct a statistical zero-knowledge proof for 
the relation ifop, he., a proof of the decryption-permutation shuffle. First we 
explain the key ideas in our approach. Then we give a detailed description of our 
protocol. Finally, we explain how it can be turned into a public coin protocol. 
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5.1 Our Approach 

The protocol for proving the relation R D p is complex, but the underlying ideas 
are simple. To simplify the exposition we follow Neff [37, 38] and consider the 
problem of proving that a list of elements in G q are exponentiated and permuted. 
More precisely, let y, u \, . . . , un, u\, . . . , u' N 6 G q be defined by y = g x and 
u' = for a permutation tt. Only the prover knows x and 7r and it must 

show that the elements satisfy such a relation. We also omit numerous technical 
details. In particular we remove several blinding factors, hence the protocols are 
not zero-knowledge as sketched here. 

Extraction Using Linear Independence. The verifier chooses a list P = 
(Pi)iLi € °f random primes and computes U = n£Li U T ■ Then it requests 
that the prover computes U' = nj^J$‘ u, i) p,r(<) i proves that U' = U x and that it 
knows a permutation tt such that U' = riili( u D P,r<i) - 

The idea is then that if a prover succeeds in doing this it can be rewound and 
run several times with different random vectors Pj, giving different Uj and Up 
until a set Pi , . . . , Pn of linearly independent vectors in are found. Linear 
independence implies that there are coefficients aij G h q such that J2jLi a i,jPj 
equals the Zth unity vector ei, i.e., the vector with a one in the Zth position and 
all other elements zero. We would then like to conclude that 

« - (n^)’- nwr* n (nw'*-**)*"' - w 

K j = 1 ' j= 1 ■ffel V i= 1 ' 

since that would imply that the elements satisfy the shuffle-relation. 

Proving a Permutation of Prime Exponents. The prover can use standard 
techniques to prove knowledge of integers pi, . . . , pn such that U' = finite)*, 
but it must also prove that pi = p v (i) for some permutation tt. 

Suppose that n Zip* = ui 1 pi over Z. Then unique factorization in Z 
implies that each pi equals some product of the p,; and —1. If in addition we 
demand that p* e [—2 K + 1, 2 K — 1], no such product can contain more than one 
factor. This implies that every product must contain exactly one factor. Thus, 
Pi = ipirfj) for some permutation 7r. If we also have J2i=iPi = J2i= i Pi> then 
we must clearly have p* = p 7r (q. 

We observe that proving the above is relatively simple over a group of un- 
known order such as the group QR N of squares modulo an RSA modulus N. 
The prover forms commitments 

b 0 = g , (h^b')^ = , 

with random fj and ^ and proves, using standard methods, knowledge of p,; , . r| 

such that 

N 


U ' = I[ ( u 'J Pi ’ b i = h T *b^ 1 , and b' = h T *g^‘ 


(4) 
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Note that bjv = h T gn»=i p< for some r, so the verifier can check that n^=i Pi = 
n, :=] Pi by asking the prover to show that it knows r such that b,v/gn.=i p* = 
h r . We then note that a standard proof of knowledge over a group of unknown 
order also gives an upper bound on the bit-size of the exponents, i.e., it implicitly 
proves that pi £ [—2* + 1,2* — 1]. Finally, since b' = h r g^’'= 1 Pi for a 
t' = T 'n the verifier can check that YliLi Pi = YliLi Pi by asking the prover 

to show that it knows t' such that n,=i b'/g^T=i pi = h r . 

Fixing a Permutation. In Equation (3) above it is assumed that a fixed 
permutation ir is used for all prime vectors Pi, . . . , Pv ■ Unfortunately, this is 
not necessarily the case, i.e., the permutation used in the jth proof may depend 
on j and we should really write ttj. 

To solve this technical problem we force the prover to commit to a fixed 
permutation n before it receives the prime vector P. The commitment is on 
the form (iu»)£L \ = (g r>i g w -^(i))iLi- The verifier then computes W = fliLi W T 
and the prover proves that W = g r ' n^i ( jT bi addition to Equations (4). 
The idea is that the prover must use 7r to permute the pi or find a non- 
trivial representation of 1 £ G q using g, gi , ... , (jm, which is infeasible under the 
DL-assumption. 

5.2 An Honest Verifier Statistical Zero-Knowledge Computationally 
Convincing Proof of Knowledge of a Decryption- Permutation 

In this section we describe our proof of a shuffle in detail. Although we consider 
a decrypt-permutation relation, our approach can be generalized to a proof of 
a shuffle for the other shuffle relations considered in the literature. In the full 
version [50] we detail such shuffles, including a shuffle of Paillier [41] cryptotexts. 

We introduce several security parameters. We use K\ to denote the number 
of bits in q, the order of the group G q , and similarly K 2 to denote the number 
of bits in the RSA-modulus N. We use K 3 to denote the number bits used in 
the random primes mentioned above. At some point in the protocol the verifier 
hands a challenge to the prover. We use K 4 to denote the number of bits in 
this challenge. At several points exponents must be padded with random bits to 
achieve statistical zero-knowledge. We use K 5 to denote the number of additional 
random bits used to do this. We assume that the security parameters are chosen 
such that K 3 + K 4 + K 5 < Ki,K 2 , and K 5 < K 3 — 2. Below the protocol we 
explain how the informal description above relates to the different components 
of the protocol. 

Protocol 2 (Proof of Decryption- Permutation) . The common input con- 
sists of an RSA modulus N and g,h e QR N , generators g,gi, ■ ■ ■ ,gN € G q , a 
public key (z,y) 6 G q , and two lists L = and L' = (u(, in G q N . 

The private input to the prover consists of ( w , x) £ Zj] such that (z. y) = (g w ,g x ) 
and {u'ijv'j) = f ° r a permutation w £ En such that L' is lexi- 

cographically sorted. 
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The 

prover chooses r' £ 

Z g randomly, computes {wi)?L | = (<?’ 


and 

hands (wj)^L-, to the 

verifier. 




The 

verifier chooses random primes 

ipi,... 

,Pat e [2*3-!, 2*3 _! 

.], and hands 

(Pi)f 

K_i to the prover. 





Both 

i parties compute (U. 

, V, W) = 

(nti' 

u Pi ^ ^ 

’*)■ 

The 

prover chooses the following element 

s randomly &i,fc2,/c3, 

fc 4 , ^5 e Zg, 

h,.. 

.,l 7 ,lr',h/w,l X / W ,lw 

,** e Z„ 

f,,^ e 

[Q,2^2 + if5 _ ij ) 



£ [ 0 , 2 k ^+^ — 

1], n e [0 

2*3+* 

Q+^5 _ 1] £ or i = 1, . 

..,N, 

se[ 

Q c^Kz+N Kz+K^ + Ks+l 

og 2 Jv_ 1 ] i 

and s' 

€ [ 0 ,2^+*5+iog 2 *v_ 

1] . Then the 

prover computes 






(61,62) = 


', 5 fc2 C/ a 

e/wi 

( 5 ) 


(63,64,65) = 

( 5 iV /w 

1 9 i 1 63 j 

Si 5 63) 

(6) 


(&,&)■= 

(, g ll U h /*“ 


"") 

( 7 ) 



( 5 iV 1/w , 


») 

(8) 


{ 05 , ^ 6 , 07 , 08 , 1 ^ 9 ) = 

( 3 l 4 6 h^ 

x , d'x 63 

r.s^J 

( 9 ) 


(01,0:2,0:3) = 

(»“H< 



*) (io) 


b 0 = 

g 



(11) 


(b,:,b()£i = 

(h^bf:« 

, h*‘g p 


(12) 


( 7 i, 7 ')ili = 

(hub'll. 

, h s *g ri 

)f=i 

(13) 


( 7,70 = 

(h s ,h s ') 



(14) 


and ((6j)f =1 , (/?*)® =1 , (o i, 02, 013), (bijb^fL^, (7 d7()£i> ( 7 ) 70 ) is handed to 
the verifier. 

>. The verifier chooses c € [ 2 Ki ~ 1 , 2 Ki — 1 ] randomly and hands c to the prover. 


Define t = t N + N ) (t jv- 1 + Pn( n- 1) (6jv- 

2 + Pn(N-2)(tN 

-3+Pn(N-3){- • •))), 

t' = Y^Ll t'i, r ' — Sill r iPi> k 6 = k4 + k 3 
computes 

x, and k7 = k. 

+ k3W. The prover 

(f t )l :1 = (ck l+ l % }l^ 

mod q 


ifl/w,fx/w) = ( c/w + l 1/w , cx/w + l x/w ) 

mod q 


(fw,fx) = {cw T l w , cx T l x ) 

mod q 


Sr' = cr' + l r > 

mod q 


(ej, eQiLf = ( cti + Si, ct'i + s^Jli 

mod 2^ 2+ 

JC4+21C5 

(di)g % = (cp^n)^ 

mod 2^3+ 

Ki+Ks 

e= ct + s 

mod 2^ 2+ 

NK 3 +K 4 +K 5 +\og 2 N 

e' = ct' + s' 

mod 2^ 2+ 

K 5 + log 2 N 

Then it hands (((/i)[=i, fi/ w , f x / w , fw, fa 

„fr'Uei,e?Jg 

i,(di)iLi,{e,e')) to 


the verifier. 
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7. The verifier checks that 6*, /%, cq e G q , and that L' is lexicographically sorted 
and that 


(6?/?!, 6^2) = {g h V h /-,g h Ui •/.) 

(15) 

(63/33, 64/^4) = 

(16) 

(64/35, y c P&) = [g{ 4 b{ i \g fx ) 

(17) 

( 6 g/ 3 7 , z c i 3s, (b 5 /g) c fa) = ( gfbt , g u , g{ 7 ) 

(18) 

( 6 gai,(P/ 6 2 ) c a 2 ,lE c a 3 ) = (V 1 f[K) d %5“ /2 II(t$* 

( i9 ) 

(b? 7i , (b') c 7 ')£Li = (h«*b* ^g*)^ 

(20) 

(g-nf= 1 J-i bjv ) c 7 = h e 

(21) 

f g “ E!LlPi I] b i) V = h e ' . 

(22) 


Equations (5)-(9) are used to prove that {bi,V/bf) = {g Kl U 1 / w , g~ K2 V/U x ^ w ) 
using standard Schnorr-like proofs of knowledge of logarithms. Equations (12) 
contain commitments corresponding to those in the outline of our approach. 
Equations (13) are used to prove knowledge of exponents Ti,r-,pi such that 
(b,,b() = (h T *b(T| , h T *g p *). We remark that the verifier need not check that 
b,. b'. 7,;, 7'. 7, 7' e QR N for our analysis to go through. Equations (14) are 
used to prove that a=i Pi = a=r Pi and YliLiPi = JliLiPii he., that pi 
in fact equals for some permutation n. Equation (10) is used to prove 
that (61,17/62) also equals (g kl b the 

two ways of writing 61 and 62 are combined we have 

/ v N v 

which by the argument in Section 5.1 implies that ((g, z, y, L, L'), (w, x)) £ Rdf- 

5.3 Security Properties 

Formally, the security properties of our protocol are captured by the following. 

Proposition 1 (Zero-Knowledge). Protocol 2 is honest verifier statistical 
zero-knowledge. 

The protocol could be modified by adding a first step, where the verifier 
chooses (N,g, h) and (<71, • . . ,<?iv). This would give a computationally sound 
proof of knowledge. However, in our application we wish to choose these para- 
meters jointly and only once, and then let the mix-servers execute the proof with 
these parameters as common inputs. Thus, there may be a negligible portion of 
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the parameters on which the prover can convince the verifier of false statements. 
Because of this we cannot hope to prove that the protocol is a proof of knowledge 
in the formal sense. Damgard and Fujisaki [12] introduce the notion of a compu- 
tationally convincing proof of knowledge to deal with situations like these. We 
do not use the notion of “computationally convincing proofs” explicitly in our 
security analysis, but the proposition below implies that our protocol satisfies 
their definition. 

We consider a malicious prover A which is given F — (N, g, h) and g = 
(g, gi, . . . , gw) as input and run with internal randomness r p . The prover outputs 
an instance I A {r,g,r p ), i.e., public keys z,y £ G q and two lists L,L' £ G q N 
and then interacts with the honest verifier on the common input consisting of 
(r, g, z, y. L, L'). Denote by T A (r, g, r p , r v ) the transcript of such an interaction 
when the verifier runs with internal randomness r v . Let Acc be the predicate 
taking a transcript T as input that outputs 1 if the transcript is accepting 
and 0 otherwise. Let L Rdp be the language corresponding to the decryption- 
permutation relation Adp- We prove the following proposition. 

Proposition 2 (Soundness). Suppose the strong RSA-assumption and the 
DL-assumption are true. Then for all polynomial-size circuit families A = {A R } 
it holds that Vc > 0, 3K 0 , such that for Ad > K 0 

^ PrJAcc (T A (r,g,r p ,r v )) = 1 A I A (r,g,r p ) # L Rdp ] < . 

5.4 Generation of Primes from a Small Number of Public Coins 

In our protocol the verifier must generate vectors in such that each compo- 
nent is a “randomly” chosen prime in [2 K:i ~ l , 2 K:i — 1], We define a generator 
PGen that generates prime vectors from public coins. Let pin) be the smallest 
prime at least as large as n. Our generator PGen takes as input N random integers 
ni, . . . , njv € , 2 K:i — 1] and internal randomness r, and defines Pi = p(n,;j. 

To find Pi it first redefines rij such that it is odd by incrementing by one if nec- 
essary. Then it executes the Miller-Rabin primality test for n,; + 2, n; + 4, . . . 
until it finds a prime. We put an explicit bound on the running time of the 
generator by bounding the number of integers it considers and the number of 
iterations of the Miller-Rabin test it performs in total. If the generator stops 
due to one of these bounds it outputs _L. If N > K 3 , the bound corresponds to 
N exponentiations modulo a Ad-bit integer. The generator can be used in 
the obvious way to turn the protocol above into a public-coin protocol. The ver- 
ifier sends (m, . . . , njv, r) to the prover instead of pi , . . . , p^ and the prover and 
verifier generates the primes by computing (pi, . . . , pm) = PGen(ni, . . . ,njv,r). 
A result by Baker and Harman [4] implies that the resulting distribution is close 
to uniform. 

Theorem 2 (cf. [4]). For large integers n there exists a prime in [n — n 0 ’ 535 , n]. 

Corollary 1. For all primes p £ [2^-1, 2*» - 1], Pr[p(n) = p] < 2~ 0A6 ^ K 3 -i ) ? 
where the probability is taken over a random choice of n £ [2 K ^~ 1 ,2 Ka — 1] 
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The corollary gives a very pessimistic bound. It is commonly believed that the 
theorem is true with 0.465 replaced by any constant less than one. Further- 
more, Cramer argues probabilistically that there is a prime in every interval 
[n — log 2 n, n\. See Ribenboim [46] for a discussion on this. 

We must argue that the generator fails with negligible probability. There are 
two ways the generator can fail. Either it outputs pi,... ,Pn, where pi p(rii) 
for some i, or it outputs _L. 

Lemma 1. The probability that PGen(m, . . . ,nw,r) ± (p(ni ), . . . ,p(nw)) con- 
ditioned on PGen(m, . . . ,nw,r) ^ T is negligible. 

Unfortunately, the current understanding of the distribution of the primes does 
not allow a strict analysis of the probability that PGen(m, . . . , njv, r) = _L. 
Instead we give a heuristic analysis in Cramer’s probabilistic model of the primes. 

Definition 4 (Cramer’s Model). For each integer n, let X n be an indepen- 
dent binary random variable such that Pr[X„ = 1] = 1/ln n. An integer n is 
said to be prime* if X n = 1 . 

The idea is to consider the primality of the integers as a typical outcome of 
the sequence (X n ) ne z- Thus, when we analyze the generator we assume that 
the primality of an integer n is given by X n , and our analysis is both over the 
internal randomness of PGen and the randomness of X n . 

Lemma 2. In Cramer’s model the probability that PGen(ni, . . . ,njv,r) #.sfc is 
negligible. 

We stress that zero-knowledge and soundness of the modified protocol are not 
heuristic. The zero-knowledge property holds for arbitrarily distributed integers 
Pi . Soundness follows from Lemma 1. It is only completeness that is argued 
heuristically. Although this is not always clear, similar heuristic arguments are 
common in the literature, e.g. to generate safe primes and to encode arbitrary 
messages in G q . We assume that Lemma 2 is true from now on. 

Although we now have a public-coin protocol it requires many random bits. 
This can be avoided by use of a pseudo-random generator PRG as suggested by 
Groth [28]. Instead of choosing m, . . . ,njv randomly and sending these integers 
to the prover, the verifier chooses a random seed s £ [0, 2 Kl — 1] and hands this 
to the prover. The prover and verifier then computes (m,...,njv) — PRG(s) 
and computes the primes from the integers as described above. The output 
(pi, . . . ,Pn) may not appear to the prover as random, since he holds the seed s. 
However, we prove in the full version [50] that if we define Pj = PGen(PRG(s)) 
and let Pi,. . . ,Pj-i e be any linearly independent vectors, the probability 
that Pj e Span(Pi, . . . ,Pj-i) or p 3tl = p 3 j for some i / / is negligible for all 
1 < j < N. This is all we need in our application. 


Universal Verifiability and Random Oracles. If the Fiat-Shamir heuristic 
is applied to a proof of a shuffle, any outsider can check, non-interactively, that 
a mix-server behaves correctly. If the verification involves no trusted parameters 
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the resulting mix-net is called “universally verifiable” . In our protocol the RSA 
parameters (N, g, h) must be trusted by the verifier and we do not see how these 
can be generated from public coins. Thus, if the Fiat-Shamir heuristic is applied 
to our protocol the result is not really universally verifiable. 

However, we can achieve universal verifiability under the root assumption in 
class groups with prime discriminant. A class group is defined by its discrim- 
inant A. It is conjectured that finding non-trivial roots in a class group with 
discriminant A = —p for a prime p is infeasible (cf. [29]). The idea would be 
to generate a prime p of suitable size from random coins handed to the prover 
by the verifier in the first round. Then the integer part of the protocol would 
be executed in the class group defined by A = —p. With this modification the 
protocol gives a universally verifiable mix- net. 


5.5 Complexity 

Comparing the complexity of protocols is tricky, since any comparison must 
take place for equal security rather than for equal security parameters. The 
only rigorous method to do this is to perform an exact security analysis of 
each protocol and choose the security parameters accordingly. Various opti- 
mization and pre-computing techniques are also applicable to different degrees 
in different protocols and in different applications. Despite this we argue in- 
formally, but carefully, in the full paper [50] that the complexity of our pro- 
tocol is at least as good as that of the most efficient previous proofs of a 
shuffle. 

More precisely, our protocol requires 5 rounds as the previously known most 
round efficient proof of a shuffle [21] involving decryption. Furthermore, for prac- 
tical parameters, e.g. K\ = 2048, K 2 = 1024, K 4 = 160, K 3 = 100, and K§ = 50, 
the complexity is less than 2.5 N and 1.6V general exponentiations in G q for the 
prover and verifier. With optimizations as in [21] this corresponds to 0.5 N and 
0.81V general exponentiations in G q , which indicates that the protocol is at least 
as fast as that in [21]. 

6 Secure Realization of :F^ P 

In this section we transform the proof of a shuffle into a secure realization of 
•^zk p ' n a (-Arsa- T'cf, T' nBj-hybrid model, where Trsa is an RSA common 
reference string functionality, and Tcf is a coin flipping functionality. 

Functionality 4 (RSA Common Reference String). The ideal RSA Com- 
mon Reference String, Trsa. with mix-servers Mi, . . . , Mj. and ideal adversary 
S proceeds as follows. 

1. Generate two random 7V 2 /2-bit primes p and q such that (p — l)/2 and 
(q — l)/2 are prime and compute N = pq. Then choose g and h randomly 
in QR n . Finally, hand ((S, RSA, N, g, h), {(Mj, RSA, N, g, h)}*? =1 ) to Cx ■ 
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There are protocols [6, 16] for generating a joint RSA modulus, but these 
are not analyzed in the UC-framework, so for technical reasons we cannot apply 
these directly. If these protocols cannot be used to give a UC-secure protocol, 
general methods [11] can be used since this need only be done once. 

Functionality 5 (Coin-Flipping). The ideal Coin-Flipping functionality, 
Pcf, with mix-servers Mi, . . . , M k , and adversary S proceeds as follows. 

1. Set Jk , = 0 for all K. 

2. On reception of {Mj, GenerateCoins, K) from Cx, set Jk <— Jk U { j }. If 

\Jk\ > k/2, then set Jk <— 0 choose c £ {0, 1} K and hand 

((S, Coins, c),{(Mj, Coins, c)}j- =1 ) to Cx- 

It is not hard to securely realize the coin-flipping functionality using a UC- 
secure verifiable secret sharing scheme (cf. [1]). Each mix-server Mj chooses a 
random string Cj of K bits and secretly shares it. Then all secrets are recon- 
structed and c is defined as 8* : =1 c J . 

Finally, we give the protocol which securely realizes ■ This is essentially 
a translation of Protocol 2 into a multiparty protocol in the UC-setting. 

Protocol 3 (Zero-Knowledge Proof of Decryption- Permutation). The 

protocol 7 Tdp = (Mi , . . . , M k ) consists of mix-servers Mj and proceeds as follows. 

Mix-Server Mj. Each mix-server Mj proceeds as follows. 

1. Wait for (RSA, N,g, h) from .Ursa- Then hand (GenerateCoins, NKf) to 

Tgf and wait until it returns (Coins, (g [, . . . , g' N )). Then map these strings 

to elements in G q by g t = (g' i ) < ' p ~ 1 ^ q mod p (recall that G q C Z*). 

2. On input (Prover, ( g , z,y, L, I/), (w,a;)), where ((g,z, y, L, L'), ( w , x))£Lr dp 

(a) Hand (Prover, (g, z, 1, 1), w) and (Prover, (g, y, 1, 1), x) to P^k- 

(b) Denote by W the first message of the prover in Protocol 2. Then hand 
(Write, W, W) to Pbf- 

(c) Then hand (GenerateCoins, Ki) to Pcf and wait until it returns 
(Coins, s). Then set P = PGen(PRG(s)). If P = T go to Step 2c, other- 
wise let P be the primes used by the prover in Protocol 2. 

(d) Denote by C the second message of the prover in Protocol 2. Hand 
(Write, C, C) to .Fbb- Then hand (GenerateCoins, K4 — 1) to Pcf and 
wait until it returns (Coins, c'). Let c = d + 2 Ki ~ 1 be the final challenge 
in Protocol 2. 

(e) Denote by R the third message of the prover in Protocol 2. Hand 
(Write, R, R) to ^bb- 

3. On input (Question, Mi, (g, z, y, L, L')), where L,L' £ G q N and ( z,y ) £ G q 

(a) Hand (Question, Mi, ( g , z, 1, 1)) to an< l wait until it returns 
(Verifier, M;, b z j). Then hand (Question, Mi, (g, y, 1, 1)) and wait un- 
til it returns (Verifier, Mi, b Vt i). If b z jb yt i = 0 output (Verifier, Mi, 0). 

(b) Then wait until (Mj, W, W) appears on ^bb- Hand (GenerateCoins, K\) 
to Pqf and wait until it returns (Coins, s). Then set P = PGen(PRG(s)). 
If P = T go to Step 3b, otherwise let P be the primes used by the verifier 
in Protocol 2. 
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(c) Wait until (Mi, C, C) appears on IFbb- Then hand (GenerateCoins, K 4 — 
1) to and wait until it returns (Coins, o'), and until (Mi, R, Ft) ap- 
pears on ^bb- Let c = d + 2 Ki ~ 1 be the final challenge in Protocol 2. 
Then verify ( W, P, C, c, R) as in Protocol 2 and set bj = 1 or bj = 0 
depending on the result. 

(d) Hand (Write, Judgement, Mi, bj) to Pbb and wait until 

(Mi>, Judgement, Mi, by) appears on .Fbb for l' 7 ^ j. Set b = 1 if \{bi> \ 
bi> = 1} | > k/2 and otherwise 6 = 0. Output (Verifier, Mi, L, L', b). 

Theorem 3. The ideal functionality is securely realized by 7Tdp in the 

(Pzk i J^CF) ^rsa, pBB)-hybrid model with respect to Mk/ 2 - adversaries under the 
DL-assumption and the strong RSA-assumption. 

Corollary 2. The composition of 7Tmn. kc, ttdp, securely realizes Pmk in the 
(Fsks, Fgf,Fbsa,Fbb) - hybrid model with respect to M. k ^-adversaries under 
the DDH-assumption and the strong RSA-assumption. 

As indicated in the body of the paper all assumptions except the assumption 
of a bulletin board can be eliminated. The assumption of a bulletin board can 
only be eliminated for blocking adversaries (cf. [49]). 


7 Conclusion 

We have introduced a novel way to construct a mix-net, and given the first 
provably secure sender verifiable mix-net. We have also introduced a novel ap- 
proach to construct a proof of a shuffle, and shown how this can be used to 
securely realize the ideal zero-knowledge proof of knowledge functionality for a 
decrypt-permutation relation. Combined, this gives the first universally compos- 
able mix-net that is efficient for any number of mix-servers. 
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Abstract. We first propose the notion of universally anonymizable 
public-key encryption. Suppose that we have the encrypted data made 
with the same security parameter, and that these data do not satisfy the 
anonymity property. Consider the situation that we would like to trans- 
form these encrypted data to those with the anonymity property with- 
out decrypting these encrypted data. In this paper, in order to formal- 
ize this situation, we propose a new property for public-key encryption 
called universal anonymizability. If we use a universally anonymizable 
public-key encryption scheme, not only the person who made the cipher- 
texts, but also anyone can anonymize the encrypted data without using 
the corresponding secret key. We then propose universally anonymizable 
public-key encryption schemes based on the ElGamal encryption scheme, 
the Cramer-Shoup encryption scheme, and RSA-OAEP, and prove their 
security. 

Keywords: encryption, anonymity, key-privacy, ElGamal, Cramer- 
Shoup, RSA-OAEP. 

1 Introduction 

The classical security requirement of public-key encryption schemes is that it 
provides privacy of the encrypted data. Popular formalizations such as indistin- 
guishability or non-malleability, under either the chosen-plaintext or the chosen- 
ciphertext attacks are directed at capturing various data-privacy requirements. 

Bellare, Boldyreva, Desai, and Pointcheval [1] proposed a new security re- 
quirement of encryption schemes called “key-privacy” or “anonymity.” It asks 
that an encryption scheme provides (in addition to privacy of the data being en- 
crypted) privacy of the key under which the encryption was performed. That is, 
if an encryption scheme provides the key-privacy, then the receiver is anonymous 
from the point of view of the adversary. 

In addition to the notion of key-privacy, they provided the RS A-based anony- 
mous encryption scheme, RSA-RAEP, which is a variant of RSA-OAEP (Bel- 
lare and Rogaway [2], Fujisaki, Okamoto, Pointcheval, and Stern [7]). Recently, 
Hayashi, Okamoto, and Tanaka [10] proposed the RSA-based anonymous encryp- 
tion scheme by using the RSACD function. Hayashi and Tanaka [11] constructed 
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Fig. 1. The costs of the encryption schemes 


the RSA-based anonymous encryption scheme by using the sampling twice tech- 
nique. In [11], they also mentioned the scheme with the expanding technique for 
comparison, however, there is no security proof. 

With respect to the discrete-log based schemes, Bellare, Boldyreva, Desai, 
and Pointcheval [1] proved that the ElGamal and the Cramer-Shoup encryption 
schemes provide the anonymity property when all of the users use a common 
group. 

In this paper, we consider the following situation. In order to send e-mails, 
all members of the company use the encryption scheme which does not provide 
the anonymity property. They consider that e-mails sent to the inside of the 
company do not have to be anonymized and it is sufficient to be encrypted the 
data. However, when e-mails are sent to the outside of the company, they want 
to anonymize them for preventing the eavesdropper on the public network. 

A trivial answer for this problem is that all members use the encryption 
scheme with the anonymity property. However, generally speaking, we require 
some computational costs to create ciphertexts with the anonymity property. 
In fact, the RSA-based anonymous encryption schemes proposed in [1,10,11], 
which are based on RSA-OAEP, are not efficient with respect to the encryption 
cost or the size of ciphertexts, compared with RSA-OAEP (See Figure 1. Here, 
k,ko,k\ are security parameters and we assume that N is uniformly distributed 
in (2 fc_1 ,2 fc ).). Since the members do not require to anonymize the e-mails, it 
would be better to use the standard encryption scheme within the company. 

We propose another way to solve this. Consider the situation that not only the 
person who made the ciphertexts, but also anyone can transform the encrypted 
data to those with the anonymity property without decrypting these encrypted 
data. If we have this situation, we can make an e-mail gateway which can trans- 
form encrypted e-mails to those with the anonymity property without using the 
corresponding secret key when they are sent to the outside of the company. 

Furthermore, we can use this e-mail gateway in order to guarantee the 
anonymity property for e-mails sent to the outside of the company. The president 
of the company may consider that all e-mails sent to the outside of the company 
should be anonymized. In this case, even if someone tries to send e-mails to the 
outside of the company without anonymization, the e-mails passing through the 
e-mail gateway are always anonymized. 

In this paper, in order to formalize this idea, we propose a special type 
of public-key encryption scheme called a universally anonymizable public-key 
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encryption scheme. A universally anonymizable public-key encryption scheme 
consists of a standard public-key encryption scheme V£ and two additional algo- 
rithms, that is, an anonymizing algorithm IAA and a decryption algorithm DA 
for anonymized ciphertexts. We can use V£ as a standard encryption scheme 
which is not necessary to have the anonymity property. Furthermore, in this 
scheme, by using the anonymizing algorithm UA, anyone who has a standard 
ciphertext can anonymize it with its public key whenever she wants to do that. 
The receiver can decrypt the anonymized ciphertext by using the decryption 
algorithm DA for anonymized ciphertexts. Then, the adversary cannot know 
under which key the anonymized ciphertext was created. 

To formalize the security properties for universally anonymizable public-key 
encryption, we define three requirements, the key-privacy, the data-privacy on 
standard ciphertexts, and that on anonymized ciphertexts. 

We then propose the universally anonymizable public-key encryption schemes 
based on the ElGamal encryption scheme, the Cramer-Shoup encryption scheme, 
and RSA-OAEP, and prove their security. 

We show the key-privacy property of our schemes by applying an argument 
in [1] with modification. The argument in [1] for the discrete-log based scheme 
depends heavily on the situation where all of the users employ a common group. 
However, in our discrete-log based schemes, we do not use the common group 
for obtaining the key-privacy property. Therefore, we cannot straightforwardly 
apply their argument to our schemes. To prove the key-privacy property of our 
schemes, we employ the idea described in [5] by Cramer and Shoup, where we 
encode the elements of QR P (a group of quadratic residues modulo p) where 
p = 2q+l and p. q are prime to those of h q . This encoding plays an important role 
in our schemes. We also employ the expanding technique. With this technique, 
if we get the ciphertext, we expand it to the common domain. This technique 
was proposed by Desmedt [6]. In [8], Galbraith and Mao used this technique for 
the undeniable signature scheme. In [13], Rivest, Shamir, and Tauman also used 
this technique for the ring signature scheme. 

The organization of this paper is as follows. In Section 2, we review the defini- 
tions of the Decisional Diffie-Hellman problem, the families of hash functions, and 
the RSA family of trap-door permutations. In Section 3, we formulate the notion 
of universally anonymizable public-key encryption and its security properties. 
We propose the universally anonymizable public-key encryption scheme based 
on the ElGamal encryption scheme in Section 4, that based on the Cramer-Shoup 
encryption scheme in Section 5, and that based on RSA-OAEP in Section 6. 

2 Preliminaries 

2.1 The Decisional Diffie-Hellman Problem 

In this section, we review the decisional Diffie-Hellman Problem. 

Definition 1 (DDH). Let Q he a group generator which takes as input a security 
parameter k and returns ( q,g ) where qisak-hit integer and g is a generator of a cyclic 
group G q of order q. Let D he an adversary. We consider the following experiments: 



296 R. Hayashi and K. Tanaka 


Experiment Expg d £," real (fc) 

{q,g) G(k); x,y£z q 

X *- g x - Y <— g v ] T <— g x v 
D(q,g,X,Y,T) 

return d 


Experiment Expp d ^' rand (/c) 
(' 1,9 ) S(k)\ x,y£- 1 q 

X <— g x \ Y <— g v \ T 
d^ D(q,g,X,Y,T) 

return d 


The advantage of D in solving the Decisional Diffie- Heilman (DDH) problem for 
Q is defined by 

Ad v dd £(,fc) = |Pr[Exp dd “(fc) = 1] - Pr[Exp£“(fc) = 1]|. 

We say that the DDH problem for Q is hard if the function Adv)i d £>(fc) is negli- 
gible for any algorithm D whose time-complexity is polynomial in k. 

The “time-complexity” is the worst case execution time of the experiment plus 
the size of the code of the adversary, in some fixed RAM model of computation. 


2.2 Families of Hash Functions 

In this section, we describe the definitions of families of hash functions and 
universal one-wayness. 

Definition 2 (Families of Hash Functions) . A family of hash functions Tt = 
{GTL, ETC) is defined by two algorithms. A probabilistic generator algorithm GTL 
takes the security parameter k as input and returns a key K . A deterministic 
evaluation algorithm ETC takes the key K and a string M € {0, 1}* and returns 
a string EHk{M) e (0,l} fe_1 . 

Definition 3 (Universal One-Wayness). Let Tt = ( QTL,ETt ) be a family of 
hash functions and let C = (Ci, Cf) be an adversary. We consider the following 
experiment: 

Experiment Exp£^(/c) 

(® 0 ,si) Ci(k){ K <— QTt(k); Xl «- C 2 (K,x 0 ,si) 

if ((a?o 7 ^ xi) A (ETLk(x o) = ETLk{x i))) then return 1 else return 0 
Note that si is the state information. We define the advantage of C via 
Adv W°c( fc ) = Pr [ Ex P?Ac( fc ) = !]• 

We say that the family of hash functions Tt is universal one-way if Adv)^(fc) 
is negligible for any algorithm C whose time- complexity is polynomial in k. 

2.3 The RSA Family of Trap-Door Permutations 

In this section, we describe the definitions of the RSA family of trap-door per- 
mutations denoted by RSA and ^-partial one-wayness of RSA. 
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Definition 4 (The RSA Family of Trap-Door Permutations). The RSA 

family of trap- door permutations RSA = ( K,E,I ) is described as follows. The key 
generation algorithm K takes as input a security parameter k and picks random, 
distinct primes p,q in the range 2r fc / 2 1 — 1 < p,q < 2 r fc / 2 1 an d 2 fc_1 < pq < 2 k . 
It sets N = pq and picks e,d £ ^(n) suc ^ that ed = 1 (mod <f>(N)). The 
public key is ( N , e, k) and the secret key is (N, d, k). The evaluation algorithm is 
E 'N,e,k{x) = x e mod N and the inversion algorithm is lN,d,k(y ) = y d m od N. 

Definition 5 (6- Partial One-Wayness of RSA). Let k £ N be a security 
parameter. Let 0 < 9 < 1 be a constant. Let A be an adversary. We consider the 
following experiment: 

Experiment Exppg)( )1 ^' fnc (A;) 

((IV, e, k), ( N , d, k)) <- K(k); x^T* N - y <- x e mod N 
x\ <— A(pk,y ) where \xi\ = \9 • |x|] 

if ((a;i||x 2 ) e mod N = y for some x-f) return 1 else return 0 

Here, “ \ \ ” denotes concatenation. We define the advantage of the adversary via 
Adv e RS p A ^ fnc (fc) = Pr[Exp« nc (£0 = 1] 

where the probability is taken over K, x £ Z* N , and A. We say that RSA is 
9-partial one-way if the function Adv RS I )( > A " fnc (A:) is negligible for any adversary 
A whose time complexity is polynomial in k. 

Note that when 9=1 the notion of ^-partial one-wayness coincides with the 
standard notion of one-wayness. Fujisaki, Okamoto, Pointcheval, and Stern [7] 
showed that the d-partial one-wayness of RSA is equivalent to the (1-partial) 
one-wayness of RSA for 9 > 0.5. 

3 Universally Anonymizable Public-Key Encryption 

In this section, we propose the definition of universally anonymizable public-key 
encryption schemes and its security properties. 

3.1 The Definition of Universally Anonymizable Public-Key 
Encryption Schemes 

We formalize the notion of universally anonymizable public-key encryption 
schemes as follows. 

Definition 6. A universally anonymizable public-key encryption scheme 
UAV£ = ((1C,£,D),UA,DA) consists of a public-key encryption scheme V£ = 
(K.,£,T>) and two other algorithms. 

— The key generation algorithm K is a randomized algorithm that takes as 
input a security parameter k and returns a pair (jpk, sk) of keys, a public key 
and a matching secret key. 
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— The encryption algorithm £ is a randomized algorithm that takes the public 
key pk and a plaintext m and returns a standard ciphertext c. 

— The decryption algorithm V for standard ciphertexts is a deterministic algo- 
rithm that takes the secret key sk and a standard ciphertext c and returns the 
corresponding plaintext m or a special symbol _L to indicate that the standard 
ciphertext is invalid. 

— The anonymizing algorithm UA is a randomized algorithm that takes the pub- 
lic key pk and a standard ciphertext c and returns an anonymized ciphertext 
d . 

— The decryption algorithm VA for anonymized ciphertexts is a deterministic 
algorithm that takes the secret key sk and an anonymized ciphertext d and 
returns the corresponding plaintext m or a special symbol _L to indicate that 
the anonymized ciphertext is invalid. 

We require the standard correctness condition. That is, for any (pk, sk) outputted 
by 1C and m £ M (pk) where M (pk) denotes the message space of pk, we have 
m = ’Dsk(£pk(m)) and m = VA s k{UA p k(£ p k(^h)))- 

In the universally anonymizable public-key encryption scheme, we can use 
V£ = (1C,£,V) as a standard encryption scheme. Furthermore, in this scheme, 
by using the anonymizing algorithm UA, anyone who has a standard ciphertext 
can anonymize it whenever she wants to do that. The receiver can decrypt the 
anonymized ciphertext by using the decryption algorithm VA for anonymized 
ciphertexts. 

3.2 Security Properties of Universally Anonymizable Public-Key 
Encryption Schemes 

We now define security properties with respect to universally anonymizable 
public-key encryption schemes. 

Data-Privacy. We define the security property called data-privacy of univer- 
sally anonymizable public-key encryption schemes. The definition is based on 
the indistinguishability for standard public-key encryption schemes. 

We can consider two types of data-privacy, that is, the data-privacy on stan- 
dard ciphertexts and that on anonymized ciphertexts. We first describe the de- 
finition of the data-privacy on standard ciphertexts. 

Definition 7 (Data-Privacy on Standard Ciphertexts). Let b € {0, 1} and 

k € N. Let A cpa = (A* pa , A;? pa ), A cca = (Aj ca ,A^ ca ) be adversaries that run in 
two stages and where A cca has access to the oracles V s k 0 (-), V s k x (-), VA S ) *,„(•), 
and VA s kx(-)- Note that si is the state information. It contains pk,mo,mi, and 
so on. For atk e {cpa, cca}, we consider the following experiment: 

Experiment Exp^^J^fc) 

(pk, sk) <— K,(k)\ (m 0 ,rni,si) <— A^ tk (pk)-, c <— £ p k(rtib): d <— ^4 atk (c,si) 

return d 
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Note that mo, mi £ A4(pk). Above it is mandated that A;? ca never queries the 
challenge c to either P s k 0 {') or ®s*i(')- It is also mandated that Aj? ca never 
queries either the anonymized ciphertext c £ {UA p k 0 (c)} to VA s k 0 { 0 or c £ 
\UApk x {c)} to VAskxi')- -for atk £ {cpa, cca}, we define the advantage via 

Adv^^ f ^ k atk (fc) = |Pr[Exp^p £ ^ k tk (A;) = 1] — Pr[Exp^^ f ^ k tk (fc) = 1]|. 

We say that the universally anonymizable public-key encryption scheme HAPS 
provides the data-privacy on standard ciphertexts against the chosen plaintext 
attack (respectively the adaptive chosen ciphertext attack) if A. dv^^ c ^ a ( k ) 
(resp. Adv^pJ^ ca (fc ) ) is negligible for any adversary A whose time complexity 
is polynomial in k. 

In the above experiment, if the challenge is c, then anyone can compute 
UA p k 0 (c). Therefore, in the CCA setting, we restrict the oracle access to VA as 
described above. 

We next describe the definition of the data-privacy on anonymized cipher- 
texts. 

Definition 8 (Data-Privacy on Anonymized Ciphertexts). Let b £ {0, 1} 

and k £ N. Let A cpa = (A} pa , Aj? pa ), A cca = (A} ca , A;? ca ) be adversaries that run 
in two stages and where A cca has access to the oracles V s k 0 (-), T> s k 1 (-), PA s k 0 {')> 
and VAskA')- -for atk £ {cpa, cca}, we consider the following experiment: 

Experiment Exp u^ps^A^ik) 

( pk,sk ) <— /C(/c); (rno,wi,si) <— A{ tk (p/c) 
c <— fpfc(wb); d <— KA p k(c ); d <— A atk (c / , si) 

return d 

Note that mo, mi £ M.(pk). Above it is mandated that A^ ca never queries the 
challenge d to either DA s k 0 (') or I ) A s fe 1 (-). For atk £ {cpa, cca}, we define the 
advantage via 

Adv^^4^ k tk (fc) = |Pr[Exp^^ a ^ k tk (A;) = 1] — Pr[Exp^^^ k tk (fc) = 1]|. 

We say that the universally anonymizable public-key encryption scheme HAPS 
provides the data-privacy on anonymized ciphertexts against the chosen plaintext 
attack (resp. the adaptive chosen ciphertext attack) if Adv^^" 0 }^ ( k ) (resp. 
Adv^^' c ^ ca (fc)} is negligible for any adversary A whose time complexity is 
polynomial in k. 

Remark 1. In the CPA setting, if there exists an algorithm which breaks the 
data-privacy on anonymized ciphertexts, then we can break that on standard 
ciphertexts by applying the anonymizing algorithm to the standard ciphertexts 
and passing the resulting anonymized ciphertexts to the adversary which breaks 
the data-privacy on anonymized ciphertexts. Therefore, in the CPA setting, it is 
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sufficient that the universally anonymizable public-key encryption scheme pro- 
vides the data-privacy of standard ciphertexts. 

On the other hand, in the CCA setting, the data privacy on standard cipher- 
texts does not always imply that on anonymized ciphertexts, since the oracle 
access of the adversary attacking the data privacy on standard ciphertexts is 
restricted more strictly than that on anonymized ciphertexts. 


Key-Privacy. We define the security property called key-privacy of universally 
anonymizable public-key encryption schemes. If the scheme provides the key- 
privacy, the adversary cannot know under which key the anonymized ciphertext 
was created. 

Definition 9 (Key-Privacy). Letb&{ 0,1} and keN. Let A cpa = (A} pa , A f 2 p J, 
A cca = (A} ca ,A;? ca ) be adversaries that run in two stages and where A cca has 
access to the oracles V sko {-), D s L>-A s k 0 (-), and DA skl {-). For atk e (cpa, 
cca}, we consider the following experiment: 

Experiment Exp^^g 1 ^ (fc) 

( pko,sko ) <— /C(fc); ( pki,sk \ ) <— lC(k) 

(m 0 ,mi-si) <- A l Mk (pko,pki): c <- £ pkb (m b )-, cf <- UA pkb (c); d <- A£ tk (<?',$ i) 

return d 

Note that too € M(pko) and mi € M.(pki). Above it is mandated that A^ ca 
never queries the challenge d to either DA sko {-) or T>A skl (-)- For atk e (cpa, 
cca}, we define the advantage via 

Ad' v A.A'P£,A atk i.k') — |P r [® x Pw^P£,^ a tk^) = — P r [Exp UAV£,A^(k) = 1]|- 

We say that the universally anonymizable public-key encryption scheme lAAFS 
provides the key-privacy against the chosen plaintext attack (resp. the adaptive 
chosen ciphertext attack) if Adv^p£ a , t (k) (resp. Adv^p^ (k)) is neg- 
ligible for any adversary A whose time complexity is polynomial in k. 

Bellare, Boldyreva, Desai, and Pointcheval [1] proposed a security require- 
ment of encryption schemes called “key-privacy.” Similar to the above definition, 
it asks that the encryption provides privacy of the key under which the encryp- 
tion was performed. In addition to the property of the universal anonymizability, 
there are two differences between their definition and ours. 

In [1], they defined the encryption scheme with some common-key which 
contains the common parameter for all users to obtain the key-privacy property. 
For example, in the discrete-log based schemes such that the ElGamal and the 
Cramer-Shoup encryption schemes, the common key contains a common group 
G, and the encryption is performed over the common group for all uses. 

On the other hand, in our definition, we do not prepare any common key 
for obtaining the key-privacy property. In the universally anonymizable public- 
key encryption scheme, we can use the standard encryption scheme which is 
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not necessary to have the key-privacy property. In addition to it, anyone can 
anonymize the ciphertext by using its public key whenever she want to do that, 
and the adversary cannot know under which key the anonymized ciphertext was 
created. 

The definition in [1], they considered the situation that the message space 
was common to each user. Therefore, in the experiment of their definition, the 
adversary chooses only one message m from the common message space and 
receives a ciphertext of to encrypted with one of two keys pko and phi . 

In our definition, we do not use common parameter and the message spaces 
for users may be different even if the security parameter is fixed. In fact, in 
Sections 4 and 5, we propose the encryption schemes whose message spaces for 
users are different. Therefore, in the experiment of our definition, the adversary 
chooses two messages too and mi where too and m i are in the message spaces 
for pko and pki, respectively, and receives either a ciphertext of too encrypted 
with pko or a ciphertext of mi encrypted with pki . The ability of the adversary 
with two messages too and mi might be stronger than that with one message to. 

We say that a universally anonymizable public-key encryption scheme UAV£ 
is CPA-secure (resp. CCA-secure) if the scheme UAT£ provides the data-privacy 
on standard ciphertexts, that on anonymized ciphertexts, and the key-privacy 
against the chosen plaintext attack (resp. the adaptive chosen ciphertext attack). 

4 ElGamal and Its Universal Anonymizability 

In this section, we propose a universally anonymizable ElGamal encryption 
scheme. 


4.1 The ElGamal Encryption Scheme 

Definition 10 (ElGamal). The ElGamal encryption scheme V£ EG =(JC EG ,£ EG , 
D EG ) is as follows. Note that Q is a QR-group generator with a safe prime which 
takes as input a security parameter k and returns ( q , g) where q is k-bit prime, 
p = 2q + 1 is prime, and g is a generator of a cyclic group QR P ( a group of 
quadratic residues modulo p) of order q. 


Algorithm JC EG (k) 

( Q,9 ) 20 ) 

x£z q ; y <— g x 

return pk = (q, g, y) and sk = x 


Algorithm £ E f?(m) Algorithm V E £ (ci,C 2 ) 

R rji — x 

r <— £ q TO <— C2 • c x 

Ci <— g r return to 

c 2 <- to • y r 
return (ci,c 2 ) 


The ElGamal encryption scheme is secure in the sense of IND-CPA if the 
DDH problem for Q is hard. 


4.2 Universal Anonymizability of the ElGamal Encryption Scheme 

We now consider the situation that there exists no common key, and in the above 
definition of the ElGamal encryption scheme, each user chooses an arbitrary 
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prime q where \q\ = k and p = 2q + 1 is also prime, and uses a group of 
quadratic residues modulo p. Therefore, each user t/j uses a different groups G-, 
for her encryption scheme and if she publishes the ciphertext directly (without 
anonymization) then the scheme does not provide the key-privacy. In fact, the 
adversary simply checks whether the ciphertext y is in the group G, , and if 
y Gi then y was not encrypted by U t . To anonymize the standard ciphertext 
of the ElGamal encryption scheme, we consider the following strategy in the 
anonymizing algorithm. 

1. Compute a ciphertext c over each user’s prime-order group. 

2. Encode c to an element cgZ, (the encoding function). 

3. Expand c to the common domain (the expanding technique). 

We describe the encoding function and the expanding technique. 

The Encoding Function. Generally speaking, it is not easy to encode the 
elements of a prime-order group of order q to those of Z q . We employ the idea 
described in [5] by Cramer and Shoup. We can encode the elements of QR P 
where p = 2q + 1 and p, q are prime to those of Z, ; . 

Let p be safe prime (i.e. q = (p l)/2 is also prime) and QR P C Z* a 
group of quadratic residues modulo p. Then we have \QR P \ = q and QR P = 
{l 2 mod p, 2 2 mod p, ■ ■ ■ , q 2 mod p}. It is easy to see that QR P is a cyclic group 
of order q, and each g e Qi? p \{l} is a generator of QR P . 

We now define a function F q : QR p —> Z g as 

F q (x) = min mod p j . 

Noticing that ± x 2 ^ mod p are the square roots of x modulo p, the function 
F q is bijective and we have F~ 1 (y) = y' 2 mod p. We call the function F q an 
encoding function. We also define a t-encoding function F q>t : ( QR P Y — > (Z,) 4 . 
F q<t takes as input (aq, • • • , x t ) G ( QR p ) f and returns (j/i, • • • , y t ) G (Z 9 ) 4 where 
Vi = F q (xi) for each i e {1, - • • , t}. It is easy to see that F q f is bijective and we 
can define F q J . 

The Expanding Technique. This technique was proposed by Desmedt [6]. 
In [8], Galbraith and Mao used this technique for the undeniable signature 
scheme. In [13], Rivest, Shamir, and Tauman also used this technique for the 
ring signature scheme. 

In the expanding technique, we expand c G Z g to the common domain 
{0,l} fc+fcb . In particular, we choose t (0, 1,2,---, |_( [2 k+kb — c)/q\} and set 
d e + tq. 

Then, for any q where |g| = k, if c is uniformly chosen from Z g , then the 
statistical distance between the distribution of the output c' by the expanding 
technique and the uniform distribution over {0,l} fc+,S!> is less than 1 /2 fcb— 1 . In 
the following, we set kb = 160. 
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Our Scheme. We now propose our universally anonymizable ElGamal encryp- 
tion scheme. Our scheme provides the key-privacy against the chosen plaintext 
attack even if each user chooses an arbitrary prime q where \q\ = k and p = 2q+l 
is also prime, and uses a group of quadratic residues modulo p. 


Definition 11. Our universally anonymizable ElGamal encryption scheme 
UAV£ EG = ((/C EG ,£ EG ,X> EG ), UA EG , T>A eg ) consists of the ElGamal encryption 
scheme V£ E = (/C EG ,£ EG ,X> EG ) and two algorithms described as follows. 


Algorithm £M EG (ci, c 2 ) 

(ci,c 2 ) <— F ? , 2 (ci,c 2 ) 
ti <— { 0 , 1 , 2 , • • • , [( 2 fe + 160 — c\)/q\ } 
t 2 {0, 1, 2, • • • , [(2 fc + 160 — c 2 )/ gj} 
c'l <— Cl + tiq\ c' 2 <— c%-pt 2 q 
return (c^c^) 


Algorithm T>A EG (c' 1 , c' 2 ) 

Ci <— c[ mod q; c 2 <— c' 2 mod q 
(ci,c 2 ) <- F-l(c x ,c 2 ) 
m <— ^ffe(ci,C 2 ) 

return m 


4.3 Security 

In this section, we prove that our universally anonymizable ElGamal encryption 
scheme UAV£ EG is CPA-secure assuming that the DDH problem for Q is hard. 

We can easily see that our scheme provides the data-privacy on standard 
ciphertexts against the chosen plaintext attack if the DDH problem for Q is 
hard. More precisely, we can prove that if there exists a CPA-adversary attacking 
the data-privacy on standard ciphertexts of our scheme with advantage e, then 
there exists a CPA-adversary attacking the indistinguishability of the ElGamal 
encryption scheme with the same advantage e. 

Note that this implies our scheme provides the data-privacy on anonymized 
ciphertexts against the chosen plaintext attack if the DDH problem for Q is hard. 

We now prove our scheme provides the key-privacy against the chosen plain- 
text attack. To prove this, we use the idea of Halevi [9]. 

Lemma 1 (Halevi [9]). LetV£ = (/C, £, V) be a (standard) encryption scheme 
that is CCA secure (resp. CPA secure) for the indistinguishability (data-privacy). 
Then a sufficient condition for V£ to be also CCA secure (resp. CPA secure) for 
the key-privacy (defined by Bellare, Boldyreva, Desai, and Pointcheval) if the 
statistical distance between the two distributions 

D 0 = {(pk 0 ,pki,£p ko (m)) : ( pk 0 ,sk 0 ), (pki,ski) *- /C(fc); m •£- M(pk 0 )} 

D± = {(pk 0 ,pki,£ pkl (m)) : (pk 0 ,sk 0 ),{pki,ski) <- K{k)\ m M(pki)} 

is negligible. 

This lemma shows the relation between the indistinguishability and the key- 
privacy for standard encryption scheme. We can apply this lemma to our univer- 
sally anonymizable encryption scheme. That is, if the universally anonymizable 
encryption scheme UAV£ = ((/C, £. 'D).UA, VA) provides the data-privacy on 
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anonymized ciphertexts against CCA (resp. CPA) and the statistical distance 
between the two distributions 

&d-{{pko,pki,UApk a (£pk 0 (m)))-- (pko,sko),(pki,ski) <-£(&); m M(pk 0 )} 
= { (t'ko-pki . UA p k, {£ p k, (m))) : ( pk 0 ,sk 0 ),(pki,ski ) <— JC(k); m ^ M{pk\)} 

is negligible, then UAV£ provides the key-privacy against CCA (resp. CPA). 

By using this, in order to prove that our scheme provides the key-privacy 
against the chosen plaintext attack, all we have to do is to see that the two 
distributions D' 0 and D\ derived by our scheme satisfy the property defined 
above. It is easy to see that the statistical distance between D' 0 and D[ is less 
than 2 x (1/2 159 ) 2 . 

In conclusion, our universally anonymizable ElGamal encryption scheme is 
CPA-secure assuming that the DDH problem for Q is hard. 


5 Cramer-Shoup and Its Universal Anonymizability 

In this section, we propose a universally anonymizable Cramer-Shoup encryption 
scheme. 


5.1 The Cramer-Shoup Encryption Scheme 


Definition 12 (Cramer-Shoup). The Cramer-Shoup encryption scheme 
P£ cs = (/C cs ,£ cs , T> cs ) is defined as follows. Let TL = ( QH,£H ) be a family 
of hash functions. Note that Q is a QR-group generator with a safe prime. 


Algorithm IC cs (k) 
(q,9)^Q(k); K <- QH{k) 
9i 9\ 92 QR P 
x\,x 2 ,y x ,y 2 ,z^- 1 q 
c <- 3^52 2 ; d^gfgf 
9i 

pk <- (q,g 1 ,g 2 ,c,d, h, K) 
sk <- (x 1 ,x 2 ,y 1 ,y 2 ,z) 
return {pk, sk) 


Algorithm £^{m) 

r£z q 

ui g{; u 2 <— g r 2 
e <— h r m 

a <— £HK(ui,u 2 ,e) 
v <— c r d ra 
return (ui,u 2 , e,v) 


Algorithm D^{ui,u 2 ,e,v) 
a <- £H K (ui,u 2 ,e) 
if {u^ +yia u^ 2+V2a = v) 
then to <— e/u\ 

else m <— _L 
return to 


Cramer and Shoup [5] proved that the Cramer-Shoup encryption scheme is 
secure in the sense of IND-CCA2 assuming that Tl is universal one-way and 
the DDH problem for Q is hard. Lucks [12] recently proposed a variant of the 
Cramer-Shoup encryption scheme for groups of unknown order. This scheme is 
secure in the sense of IND-CCA2 assuming that the family of hash functions in 
the scheme is universal one-way, and both the Decisional Diffie-Hellman problem 
in QRn (a set of quadratic residues modulo N) and factoring N are hard. 
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5.2 Universal Anonymizability of the Cramer-Shoup Encryption 
Scheme 


We propose our universally anonymizable Cramer-Shoup encryption scheme. Our 
scheme provides the key-privacy against the adaptive chosen ciphertext attack 
even if each user chooses an arbitrary prime q where \q\ = k and p = 2q + 1 is 
also prime, and uses a group of quadratic residues modulo p. 

Note that in our scheme we employ the encoding function and the expanding 
technique appeared in Section 4. 


Definition 13. Our universally anonymizable Cramer-Shoup encryption scheme 
UAV£ CS = ((/C cs , £' cs , D cs ), UA CS , T>A CS ) consists of the Cramer-Shoup encryp- 
tion scheme V£ cs = (JC cs , £ cs ,V CS ) and two algorithms described as follows. 


Algorithm UA^. (ui, U2, e, v) 
(u\.u-2,'e,v) <— i ( m i • ''2-e,r) 

ti <— {0, 1, 2, • • • , L(2 fc+160 — ui)/ q\} 
ti <— {0, 1, 2, • • • , [(2 fc + 160 — U2)/q\} 
t 3 {0, 1, 2, • • • , [(2 fc + 160 — e)/ gj} 
t 4 ■*— {0, 1, 2, • • • , [(2 fc + 160 — v)/q\} 
u\ <— ui + tiq; u ' 2 <— U2 + t^q 
e' <— e + t 3 q; v r <— v + t^q 
return (it^, u 2 , e' , v') 


Algorithm (u'^u^e! ,v > ) 

u\ <— u[ mod q\ U2 <— u 2 mod q 
e <— e' mod g; v <— v' mod q 
(ui,U2,e,v) ' F~l(ui,v,2,e,v) 

m <— T>^(ui,U 2, e, v) 


5.3 Security 

In this section, we prove that our universally anonymizable Cramer-Shoup en- 
cryption scheme UAV£ EQ is CCA-secure assuming that the DDH problem for 
Q is hard and hi is universal one-way. 

We can prove that our scheme provides the data-privacy on standard cipher- 
texts against the adaptive chosen ciphertext attack if the DDH problem for Q 
is hard and Ti is universal one-way. More precisely, we can prove that if there 
exists a CCA-adversary A attacking the data-privacy on standard ciphertexts of 
our scheme with advantage e, then there exists a CCA2-adversary B attacking 
the indistinguishability of the Cramer-Shoup encryption scheme with the same 
advantage e. In the reduction of the proof, we have to simulate the decryption or- 
acles for anonymized ciphertexts for A. If A makes a query d = (u '- { , u' 2 . e', v') to 
VA sko (-), we simply compute c = {u\ mod qo,u 2 mod qo , e' mod Qo . v' mod go) 
and decrypt c by using the decryption algorithm V s k 0 (•) for standard ciphertexts 
for B. We can simulate VAg^ (•) in a similar way. 

In order to prove that our scheme provides the key-privacy and the data- 
privacy on anonymized ciphertexts against the adaptive chosen ciphertext at- 
tack, we need restriction as follows. 

We define the set of ciphertexts ECcs({u'i, u 2 , e' , v’),pk) called “equivalence 
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ECcs((ui, u' 2 ,e',v'),pk) = {( u 1 ,U2,e,v ) € ({ 0 , l} fc+160 ) 4 | 

ii\ = u\ (mod q) Av ,2 = u 2 (mod q) A e = e! (mod g) A v = v' (mod g)}. 


If d = {u \ , u' 2 , d , d) e ({0, l} fc+160 ) 4 is an anonymized ciphertext of m under 
pk = (q,gi,g 2 ,c,d,h,K) then any element c = (ui,U2,e,v) £ ECcs(c',pk ) is 
also an anonymized ciphertext of m under pk. Therefore, when d is a challenge 
anonymized ciphertext, the adversary can ask an anonymized ciphertext c € 
ECcs(c',pko ) to the decryption oracle XM^ 0 for anonymized ciphertexts, and 
if the answer of VA^ 0 is mo then the adversary knows that d is encrypted by 
pko and the plaintext of d is mo. 

Furthermore, the adversary can ask ( u \ mod go, u 2 mod go, d mod go, v' mod 
go) to the decryption oracle T>^ o for standard ciphertexts. If the answer of T>^ o 
is too, then the adversary knows that d is encrypted by pko and the plaintext 
of d is too- 

To prevent these attacks, we add some natural restriction to the adversaries 
in the definitions of the key-privacy and the data-privacy on anonymized ci- 
phertexts. That is, it is mandated that the adversary never queries either c £ 
EC'csid. pko) to T>Ag% 0 or c e ECcs(d ,pk\) to VA^. It is also mandated that 
the adversary never queries either (u\ mod go , v! 2 mod qo,d mod go , i/ mod go) 
to or {u\ mod gi,W 2 m °d gi^' mod qi,v' mod gi) to T>^ 1 . 

We think these restrictions are natural and reasonable. Actually, in the case of 
undeniable and confirmer signature schemes, Galbraith and Mao [8] defined the 
anonymity on undeniable signature schemes with the above restriction. In [11], 
Hayashi and Tanaka also employed the same restriction in order to prove the 
anonymity of their encryption scheme. Incidentally, Canetti, Krawczyk, and 
Nielsen [4] proposed a relaxed notion of CCA security, called Replayable CCA 
(RCCA). In their security model, the schemes which require restriction such 
as equivalence class for proving their CCA security satisfy a variant of RCCA, 
pd-RCCA (publicly-detectable replayable-CCA) secure. 

If we add these restrictions then we can prove that our scheme provides the 
data-privacy on anonymized ciphertexts against the adaptive chosen ciphertext 
attack if the DDH problem for Q is hard and H is universal one-way. More 
precisely, we can prove that if there exists a CCA-adversary attacking the data- 
privacy on anonymized ciphertexts of our scheme with advantage e, then there 
exists a CCA-adversary attacking the data-privacy on standard ciphertexts of 
our scheme with the same advantage e. 

We now prove our scheme provides the key-privacy against the adaptive 
chosen ciphertext attack. If we add the restrictions described above, we can 
prove this in a similar way as that for our universally anonymizable ElGamal 
encryption scheme. Note that the statistical distance between D' 0 and D\ (See 
Section 4.3.) is less than 2 x (1/2 159 ) 4 . 

In conclusion, our universally anonymizable Cramer-Shoup encryption 
scheme is CCA-secure assuming that the DDH problem for Q is hard and Ti 
is universal one-way. 
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6 RSA-OAEP and Its Universal Anonymizability 

In this section, we propose a universally anonymizable RSA-OAEP scheme. 


6.1 RSA-OAEP 

Definition 14 (RSA-OAEP). RSA-OAEP V£ R0 = (/C R0 , £ RO , V RO ) is as 
follows. Let k, ko and k\ be security parameters such that ko + k\ < k. This de- 
fines an associated plaintext-length n = k—ko — ki. The key generation algorithm 
/C R0 takes as input a security parameter k and runs the key generation algorithm 
of RSA to get N, e, d. It outputs the public key pk = ( N , e) and the secret key 
sk = d. The other algorithms are depicted below. Let G : (0, l} fe ° — > (0, l} n+fcl 
and H : (0, l}" +fcl — > {0, l} fc ° be hash functions. Note that [x] e denotes the £ 
most significant bits of x, and [x]t> denotes the £' least significant bits of x. 


Algorithm £ R °(m) 
r ■£- {0, l} fc ° 
s <— (m||0 fel ) ® G(r) 
t <— r ® H(s) 
c <— (s||f) e mod N 


Algorithm V R f?(c) 

s <— [c d mod N] n+kl ; t <— [c d mod N] ko 
r <— t ® H(s) 

m <— [s ® G(r)]"; p ^[ s ®G(r)] kl 
if (p = 0 kl ) z <— m else 2 <-_L 


return c 


return 2 


Fujisaki, Okamoto, Pointcheval, and Stern [7] proved that OAEP with partial 
one-way permutations is secure in the sense of IND-CCA2 in the random oracle 
model. They also showed that RSA is one-way if and only if RSA is ^-partial 
one-way for 9 > 0.5. Thus, RSA-OAEP is secure in the sense of IND-CCA2 in 
the random oracle model assuming RSA is one-way. 


6.2 Universal Anonymizability of RSA-OAEP 


A simple observation that seems to be folklore is that if one publishes the ci- 
phertext of the RSA-OAEP scheme directly (without anonymization) then the 
scheme does not provide the key-privacy. Suppose an adversary knows that the 
ciphertext c is created under one of two keys (N 0 ,e 0 ) or (Ni , d), and suppose 
N 0 < Ni . If c > 7V 0 then the adversary bets it was created under (Ni , e-j), else 
the adversary bets it was created under (7Vo,eo). It is not hard to see that this 
attack has non-negligible advantage. 

To anonymize ciphertexts of RSA-OAEP, we do not have to employ the 
encoding function and we only use the expanding technique. 

Definition 15. Our universally anonymizable RSA-OAEP scheme UAV£ RO = 
((IC ro ,£ ro ,V ro ),UA ro , VA ro ) consists of RSA-OAEP V£ RO =(K. RO ,£ RO ,V RO ) 
and two algorithms described as follows. 


Algorithm UA R k (c) 

a <-- {£>, 1, 2, • • • , [(2 fc + 160 — c)/N\} 
d <— c + aN 

return d 


Algorithm VA R k (d) 
c < — d mod N 
z <- D r °(c) 

return 2 
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6.3 Security 

In this section, we prove that our universally anonymizable RSA-OAEP scheme 
UAV£ ro is CCA-secure in the random oracle model assuming RSA is one- 
way. 

We can prove that our scheme provides the data-privacy on standard cipher- 
texts against the adaptive chosen ciphertext attack in the random oracle model 
assuming RSA is 0-partial one-way for 9 > 0.5. More precisely, if RSA-OAEP is 
secure in the sense of IND-CCA2 then our scheme provides the data-privacy on 
standard ciphertexts against the adaptive chosen ciphertext attack. The proof 
is similar to that for our universally anonymizable Cramer-Shoup encryption 
scheme. 

In order to prove that our scheme provides the key-privacy and the data- 
privacy on anonymized ciphertexts against the adaptive chosen ciphertext at- 
tack, we need the restrictions similar to those for our universally anonymizable 
Cramer-Shoup encryption scheme. We define the equivalence class for our uni- 
versally anonymizable RSA-OAEP scheme as 

ECro(c' ,pk) = {c6 {0, l} fc+160 |c = d (mod IV)} 

where pk = ( N , e) and it is mandated that the adversary never queries either 
c € ECro(c', pko) to T>A R % 0 or c e EC&o(d ,pk\) to 2X4^° . It is also man- 
dated that the adversary never queries either d mod N 0 to T>^ or d mod Ni 
t0 ■ 

If we add these restrictions then we can prove that our scheme provides the 
data-privacy on anonymized ciphertexts against the adaptive chosen ciphertext 
attack in the random oracle model assuming RSA is ^-partial one-way for 9 > 
0.5 in a similar way as that for our universally anonymizable Cramer-Shoup 
encryption scheme. 

Furthermore, if we add the restrictions described above, then we can prove 
that our scheme provides the key-privacy against the adaptive chosen ciphertext 
attack in the random oracle model assuming RSA is 0- partial one-way for 6 > 0.5. 
More precisely, we show the following theorem '. 

Theorem 1. For any adversary A attacking the key-privacy of our scheme un- 
der the adaptive chosen ciphertext attack, and making at most qa ec queries to 
decryption oracle for standard ciphertexts, q' dec queries to decryption oracle for 
anonymized ciphertexts, q gen G- oracle queries, and qhash H -oracle queries, there 
exists a 9-partial inverting adversary B for RSA, such that for any k , ko , k\, and 
9 = Ezhs_ > 


Adv uAV£ R °,A^ ^ • ((1 - ei) • (1 - £ 2 )) 1 • Adv^ s p A °^ fnc (fc) 

+Qgen ’ (1 — £2) _1 ’ 2~ k+ 2 


Halevi [9] noted that we cannot apply Lemma 1 directly to the schemes analyzed in 
the random oracle model. 
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where $ = e 2 = 2 ^-+^+^c 2 +2 g .en( gd ec + ^ e ) + + 

| and i/te running time of B is that of A plus q sen ■ ghash ■ 0(k 3 ). 

In conclusion, since RSA is ^-partial one-way if and only if RSA is one-way 
for 6 > 0.5, our universally anonymizable RSA-OAEP scheme is CCA-secure in 
the random oracle model assuming RSA is one-way. 

6.4 Proof of Theorem 1 

The proof is similar to that for RSA-RAEP. We construct the partial inverting 
algorithm M for the RSA function using a CCA-adversary A attacking the key- 
privacy of our encryption scheme. We describe the partial inverting algorithm 
M for RSA using a CCA-adversary A attacking the anonymity of our encryption 
scheme. M is given pk = ( N , e, k) and a point y e ft* N where \y\ = k = n+ko+ki. 
Let sk = (N, d, k) be the corresponding secret key. The algorithm is trying to 
find the n + k\ most significant bits of the e-th root of y modulo N. 

1) M picks //£ {0,1,2...., L(2 fc + 160 - y)/N\} and sets Y <— y + p,N. 

2) M runs the key generation algorithm of RSA with security parameter k to 
obtain pk' = ( N ' , e' , k ) and sk' = ( N d',k). Then it picks a bit b {0,1}, 
and sets pkb <— ( N , e) and pki-b <— (N', e'). If the above y does not satisfy 
y e (Z^ o n then M outputs Fail and halts; else it continues. 

3) M initializes four lists, called G-list, H- list, Vo-list, and W-list to empty. It 
then runs A as follows. Note that M simulates A’s oracles G, H, T> s k 0 , and 
V s k x as described below. 

3-1) M runs A\(pko,pki) and gets (mo,mi,si) which is the output of A\. 

3-2) M runs A-jfY, si) and gets a bit d 6 {0, 1} which is the output of A^. 

4) M chooses a random element on the id-list and outputs it as its guess for 
the n + k\ most significant bits of the e-th root of y modulo N. 

M simulates A’s oracles G, H, T> s k 0 , and T> s / Cl as follows: 

— When A makes an oracle query g to G, then for each (h. Hh) on the id- 
list, M builds 2 : = h\\(g ® Hh), and computes yh, g ,o = z e ° mod N 0 and 
Vh, g , 1 = z ei mod Ni. For i e {0, 1}, M checks whether y = yh, g ,% ■ If for some 
h and | such a relation holds, then we have inverted y under phi, and we can 
still correctly simulate G by answering G g = h® (m,;| |0 fcl ). Otherwise, M 
outputs a random value G g of length n+k\. In both cases, M adds (g, G g ) 
to the G-list. Then, for all h, M checks if the least significant bits of 
h®G g are all 0. If they are, then it adds yh, g , 0 and yh.g.i to the lo-Ust and 
the li-list, respectively. 

— When A makes an oracle query hto H, M provides A with a random string 
Hh of length ko and adds (h, Hh) to the id-list. Then for each (g. G g ) on the 
G-list, M builds z = h\\(g CD Hh), and computes yh, g ,o = z e ° mod No and 
Vh, g , 1 = ^ ei mod N\. M checks if the k\ least significant bits of h © G fl are 
all 0. If they are, then it adds yh, g , 0 and yh, g ,i to the lb-list and the Ti-list, 
respectively. 
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— When for i g {0, 1}, A makes an oracle query y g Z* N . to V skj , M checks if 
there exists some yh, g ,i in the l^-list such that y = yh, g ,i • If there is, then it 
returns the n most significant bits of h © G g to A. Otherwise it returns*!?* 
(indicating that y is an invalid ciphertext). 

— When for i g {0, 1}, A makes an oracle query Y g {0, l} fe+160 to T>A s ki, Af 
checks if there exists some yh, g ,i in the Fj-list such that Y mod = yh, g ,i- If 
there is, then it returns the n most significant bits of h CD G g to A. Otherwise 
it returns J_ (indicating that Y is an invalid anonymized ciphertext). 

In order to analyze the advantage of M, we define some events. For i g {0,1}, 
let Wi = y di mod A 7 ,;, s* = [wi] n+kl , and t{ = [wi]k 0 - 

— DSBad denotes the event that 

• A T> s k 0 query is not correctly answered, or 

• A query is not correctly answered. 

— DABad denotes the event that 

• A VA s k 0 query is not correctly answered, or 

• A VAskx query is not correctly answered. 

— DBad = DSBad V DABad. 

— YBad denotes the event that y £ (Z^ o n Z^J. 

— AskR denotes the event that (j*o, G ro ) or (n, G ri ) is on the G-list at the end 
of step 3-2. 

— AskS denotes the event that (sen H So ) or (si,H Sl ) is on the id-list at the end 
of step 3-2. 

We let Pr[-] denote the probability distribution in the game defining advan- 
tage and Pri[-] the probability distribution in the simulated game where -'YBad 
occurs. We can bound Pri [AskS] in a similar way as in the proof of the anonymity 
for RSA-RAEP [1] , and we have 

P ri [AskS] > i -PnlAskRA AskShDBad] -PrihDBadhAskS], 

We next bound Pri[AskR A AskSI^DBad]. Let e = Adv^' 3 R0 A (fc). The 
proof of the following lemma is similar to that for RSA-RAEP. 

Lemma 2. 

Pri[AskR A AskSbDBad] > | • (l - 2 q gen ■ 2~ k ° - 2 g hash • 2“"- fcl ) - 2 q gen ■ 2~ k . 

We next bound Pr, b D Bad | -AskS]. It is easy to see that PribDBadbAskS] < 
PribDSBadbAskS]+Pri[-'DABad|-'AskS], and the proof of the following lemma 
is similar to that for RSA-RAEP. 

Lemma 3. 


P ri [DSBad bAskS] < q dec ■ (2 • 2~ fcl + (2 5gen + 1) • 2“^) , 
Pn [DABad |-.AskS] < g^ ec • (2 • 2“ fcl + (2 q sen + 1) • 2“ fc «) . 
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By applying Lemmas 2 and 3, we can bound Pri[AskS] as 


Pri[AskS] 

^ \ ■ (f ■ ( 1 “ “ i^r) “ • (i _ (?dec + Qdec) ' (pT + 

> e ( 1 _ 2ggen+gdec+g^ r +2ggen(gdec+gH a r) _ 2 (gdec+9d a r) _ 2ghash A _ fern 
— 4 PS pi 2 fc-fc o ^ "P -- 


■)) 


We next bound the probability that -lYBad occurs. 
Lemma 4. 


Pr[YBad] < 


2 

2 fc /2 3 — i 


2159’ 


Proof (Lemma 4). Let N = pq and N' = p'q'. We define a set S[N] as {Y\Y e 
[0, 2 fc + 160 ) A (Y mod N) e Z* N }. Then, we have 

Pr[YBad] 

= Pr[y £ Z* N - fji £ {0, 1,2, , L(2 fc+160 - y)/N\}- Y <— y + pN : Y g S[iV']] 
< Pr[W £ S[N] : Y' £ S^]] + 1/2 159 

since the distribution of Y' is statistical indistinguishable from that of Y, and 
the statistically distance is less than 1/2 159 . 

Since 2 160 • <f>(N) < |S[JV]f < 2 fe+160 , we have 

Pr[W 4 S[N] : Y' £ S[W'|] < ■ 

Furthermore, we have 

2 fc+i 60 _ 5 [ A r/]| = \{Y'\Y' € [0,2 fc + 160 ) A (Y' mod N') $ Z* N ,}\ 

< \{Y'\Y' e [0, 27V 7 • 2 160 ) A [Y' mod N') Z* N ,}\ 

= 2 161 x \{Y'\Y' e[0,N') AY' <?Z* N ,}\ 

= 2 161 (N' 


Noticing that 2r fc / 2 1— 1 < p, q ,j/, q' < 2T fc / 2 1 and 2 fc_1 < N,N' < 2 k , we have 

Pr[W £ 5[JV] : W g S[AT']] 

/ 2 161 (iV'-0(iV')) / 2 (p'+q') / 2(2i fc / 2 l+2i fc / 2 l) ^ 2 

- 2 1 “- fl i(JV) - N-p-q - 2 fc-i — 2Tfe/2l _ 2 rfc/2l S 2 fe/2 — 3 — i 

Assuming -YBad occurs, we have by the random choice of b and symmetry, 
that the probability of M outputting s is at least 2q * h • Pri[AskS]. Thus, 

Adv^-P A ow- fnc ( fc ) >: (| Pr [YBad]) • . 

Substituting the bounds for the above probabilities and re-arranging the terms, 
we get the claimed result. 

Finally, we estimate the time complexity of M. It is the time complexity of A 
plus the time for simulating the random oracles. In the random oracle simulation, 
for each pair ((g,G g ),(h, Hf ,)), it is sufficient to compute yh, g ,o = z e ° mod N 0 
and yh , g , i = 2 61 mod Ni. Therefore, the time complexity of M is that of A plus 

5gen • 5hash ■ Q(k 3 ). 
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Abstract. Let X\, X 2 , . . . , Xy be independent n bit random variables. If 
they have arbitrary distributions, we show how to compute distributions 
like Pr{Xi ® X 2 © • • • ® A"*,} and Pr{Ai EEI X 2 ffl • • • ffl Xy} in complexity 
0(kn2 n ). Furthermore, if Xi,X 2 , . . . ,Xy are uniformly distributed we 
demonstrate a large class of functions F(X 1, A2, . . . , Xy), for which we 
can compute their distributions efficiently. 

These results have applications in linear cryptanalysis of stream ci- 
phers as well as block ciphers. A typical example is the approximation 
obtained when additions modulo 2 n are replaced by bitwise addition. 

The efficiency of such an approach is given by the bias of a distribution 
of the above kind. As an example, we give a new improved distinguishing 
attack on the stream cipher SNOW 2.0. 

Keywords: cryptanalysis, complexity, algorithms, convolution, approx- 
imations, large distributions, pseudo-linear functions. 

1 Introduction 

Linear cryptanalysis is one of the most powerful techniques for cryptanalysis. 
It can be regarded as a generic attack. It is for example the fastest known 
attack on DES. More recently, we have seen that linear cryptanalysis also plays 
a major role in the area of stream ciphers. Many recent proposals have been 
analyzed through the idea of replacing nonlinear operations by linear ones, and 
then hoping that obtained linear equations are correct with a probability slightly 
larger than otherwise expected. Actually, the best known attacks on many recent 
stream cipher proposals are linear attacks. This includes stream ciphers like 
Scream [1], SNOW [2,3], SOBER [4,5], RC4 [6], A5/1 [7], and many more. 

Most work in linear cryptanalysis on block ciphers are based on bitwise linear 
approximations. To oversimplify, we find a sum of certain plaintext bits, cipher- 
text bits and key bits such that this sum is zero with a probability 1/2 + e, 
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where e is usually small. By getting access to a large number of different plain- 
text/ciphertext pairs we can eventually find out the value of the sum of key bits. 
This results in a key recovery attack. 

In linear attacks on stream ciphers, it is mostly the case that a linear approxi- 
mation will give us a set of keystream symbols that sum to zero with probability 
1/2 + e. Since no key bits are involved in the expression, this gives us a dis- 
tinguishing attack. In some linear attacks on stream ciphers, one has moved 
from the binary alphabet to instead consider a sum of variables defined over a 
larger set. For example, we can consider a sum of different bytes from keystream 
sequence if it is byte oriented. Distinguishers based on symbols from a larger 
alphabet have been considered in for example [8,9,10]. 

It is clear that moving to a larger alphabet gives improved results. However, 
the computational complexity of finding the result increases. To be a bit more 
specific, assume for example that the operation X\ EH X 2 is replaced by Xj CD X 2 , 
where EH denotes mod 2" addition. The usefulness of such an approximation 
is given by the distribution Pr{(Xi EH X 2 ) ® (Xl ® X 2 ) = 7}. However, the 
complexity of computing this distribution can be large. For example, for n = 32 
bits a straight forward approach would require complexity 2 64 , an impossible 
size to implement. 

Several previous papers studied related problems. For example, in [11] differ- 
ential properties of addition, such as DC + (a, /? — > 7) := Pr{(a; EH y) ® ((a; ® a) EH 
(y ® P)) = 7}, were studied in details, including different useful and efficient 
computational algorithms. There are a few other results where different classes 
of similar functions (mostly related to differential properties) were achieved, e.g., 
in [12,13,14], and others. However, these papers focus only on a small class of 
functions, which can be regarded as a subclass of the functions studied in this 
paper, refered to as pseudo-linear functions. Moreover, our main concern is the 
algorithms on large distribution tables, i.e., to provide a practical tool for crypt- 
analysis over large distributions (or a large alphabet). When, for example, the 
probability space is \Q\ = 2 32 , our algorithms and data structures allow us to 
store and perform the most common operations over such huge distributions, 
with a reasonable time on a usual PC. 

Consider X\,X 2 , . . . . X k to be independent n bit random variables. If they 
have arbitrary distributions, we show how to compute distributions like Pr{Xi ® 
X 2 ® ■ ■ ■ ® Xk} and Pr{Xi EH X 2 EH • • • EH X *,} in complexity 0(kn2 n ). For exam- 
ple, we compute the distribution Pr{(Xi EH X 2 ) ® (Xi ® X 2 ) = 7} in complex- 
ity 2 37 • c for some small c. The presented algorithms makes use of techniques 
from Fast Fourier Transform and Fast Hadamard Transform. Although some of 
these techniques were also mentioned in a recent paper [15], we include the full 
approach for completeness. We show how they can be performed when more 
complicated data structures are used, introduced due to a high memory com- 
plexity. 

Next, if Xi,X 2 , . . . ,Xk are uniformly distributed we demonstrate a large 
class of functions F(X i,X 2 , . . . , X k ), for which we can compute the distribution 
Pr{F(Xi,X 2 , . . . , X k ) = 7} efficiently. Here, the algorithms are based on per- 
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forming a combinatorial count in a bitwise fashion, taking the “carry depth” into 
account. These results give us efficient methods of calculating distributions of 
certain functions F(X i,X 2 , ■ ■ . , X/ c ). Fortunately, this includes many functions 
that appear in linear analysis of ciphers. 

As an example, we show an application in linear cryptanalysis of stream ci- 
phers. A typical operation is the approximation obtained when additions modulo 
2" are replaced by bitwise addition. The efficiency of such an approach is given 
by the bias of a distribution of the above kind. In our example, we give a new 
improved distinguishing attack on the stream cipher SNOW 2.0. 

In Section 2 we define a pseudo-linear class of functions and derive an algo- 
rithm to calculate their distributions. In Section 3 we show how a convolution 
of several distributions can be calculated efficiently. In Section 4 an application 
example of our approach to attack SNOW 2.0 is given. Finally, we summarize 
our results and make conclusions. 

2 A Pseudo-Linear Function Modulo 2" and Its 
Distribution 

For notation purposes we denote n-bit variables by a capital letter X, and 1-bit 
variables by a small letter x. Individual bits of X in a vector form are repre- 
sented as X = x n -i . . . xixo- By X[a : 6] we denote an integer number of the 
form Xb... x a+ ix a ■ If Y = y m -\ ■■ - Do, then X\\Y = x„_i . . . xoy m -i ■■■Do is 
another integer number ( concatenation ). We use ‘EH’ and ‘El’ to denote arith- 
metical addition and subtraction modulo 2", respectively. However, when the 
inputs to a function F(-) are from the ring Z 2 « , we assume ‘+’ to be an addition 
in the ring as well. Matrix multiplication is denoted as ‘ x ’. When is applied to 
two vectors, then it denotes element-by-element multiplication of corresponding 
positions from the vectors. 

2.1 A Pseudo-Linear Function Modulo 2 n 

Let X be a set of k uniformly distributed n-bit (nonnegative) integer random 
variables X = [Xi , . . . , X^}, X, e Z 2 n. Let C be a set of n-bit constants 
C = {Ci, . . . ,Ci}. Let Tj be some symbol or expression on X and C. We de- 
fine arithmetic, Boolean, and simple terms as follows. 

Definition 1. Given X and C we say that: (1) A is an ‘arithmetic term’, if it 
has only the arithmetic + operator between the input terms (e.g., A = T\ + T 2 + 

. . .); (2) B is a ‘Boolean term’ if it contains only bitwise operators such as NOT, 
OR, AND, XOR, and others (e.g., B = (Ti ® T 2 )|T 3 &T 4 . . .); (3) S is a ‘simple 
term’ if it is a symbol either from X or C (e.g., S = Xi). □ 

Next, we define a pseudo-linear function modulo 2”. 

Definition 2. F(Xi, . . . , Xjf) is called a ‘pseudo-linear function modulo 2 n ’ 
(PLFM) on X if it can recursively be expressed in arithmetic (A), Boolean (B), 
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and simple (S ) terms 1 . We also refer the number of A, B, and S terms to be 
a, b, and s, respectively. □ 

Note, if a given function contains a subtraction B, then it can easily be 
substituted by EE using 

XBF = Xffl(NOTy)ffll mod 2", (1) 

which is valid in the ring modulo 2". Note that the number of *4- ter ms does not 
grow during the substitution 

As an example, let us consider a linear approximation of a modulo sum of the 
following kind l Xi B X 2 B X 3 — > X\ ® X 2 ® X 3 ® N\ where N is the noise variable 
introduced due to the approximation. The expression for the noise variable is a 
PLFM: N = F(X 1 ,X 2 , X 3 ) = {X\ + AT 2 + X 3 ) © X x © AT 2 © X 3 . 

Finding the distribution of such an approximation could be the bottleneck 
in cryptanalysis work. The trivial algorithm for solving this problem would be 
as follows. 

1. Loop for all (X 1: X 2 , X 3 ) € Z% n 

2 . T[(x 1 mx 2 mx 3 )®x 1 ®x 2 ®x 3 } + +- 

After termination of the algorithm we have Pr{N = 7} = T[7]/2 3n . The 
complexity of this classical solution when the variables are 32-bits integers, is 
0( 2 96 ), infeasible for a common PC. Instead, we suggest another principle to 
solve this problem, as follows. 

1. for 7 = 0. . . 2 n — 1 

2. T[ 7 ] = some combinatorial function. 

In the upcoming section we show how this combinatorial function is con- 
structed. 

2.2 Algorithm for Calculating the Distribution for a PLFM 

The problem we are considering in this subsection is the following. Given a 
PLFM F(X 1 , X 2t . . . , Xk) on X and C, we want to calculate the probability 
Pr{F(A”i, X 2 , . . . , Xk) = 7}, for a fixed value 7, in an efficient way. 

Let some arithmetic term A have k + operators *+’, i.e., A = T 0 +Ti + . . .+!*,, 
where Tj are some other terms, possibly B or S. Then, considering 1-bit inputs, 
the evaluation of the A term can, potentially, produce the local maximum carry 
value w max = [ k 2 +1 j. This carry value at some bit t can influence on the next 
bits of the sum at positions t + 1, t + 2, etc. Therefore, the maximum carry value 
(Tmax at every bit t of the sum for A is then derived as the minimum integer 
solution for the equation cr max = \_(k + + 1 + cr max ) / 2 J . Thus, for every arithmetic 
term Ai the maximum local carry value is 

<Wx = fc+, (2) 

where kf is the number of additions in A t . 

1 Note that a PLFM is a T-function [16], but not vice versa. 



Fast Computation of Large Distributions and Its Cryptographic Applications 317 


For any i-bit truncated input tuple (Xi . . . . , X*,) to the function F(-) we can 
define a tuple of local carry values for each of the *4,;- ter ms, as follows: 

= (3) 

where Oi is the corresponding local carry value for the .Aj-term, when the inputs 
are f-bit truncated, and it can also be expressed as 

<p|t = • • • - X k) mod 2‘) j div 2*, (4) 

when Ai = T ifi + . . . + T^ k +. 

Assume there is an oracle P t (F 0 , 7 ) which can tell us the number of choices 
of the tuple (Xi[0 : t — 1], . . . , X fc [0 : t — 1]) out of 2 t ' k possible combinations, 
such that for each choice the function F produces a required vector of local carry 
values F| t = Fo, and the condition F(X 1 , . . . , Xp.) = 7 mod 2 t is satisfied, i.e. 
F(Xi, . . . ,Xfc)[0 : t — 1] = 7(0 : t — 1]. The probability we are seeking can now 
be written as 

Pr{F(X l5 W ( 5 ) 

It remains to show how to construct the oracles P t (F 0 , 7 )- Assume we know 
the answer P t (Fq , 7 j for every Fy. When F| t = Fq is fixed, then, by trying all 
combinations for t th bits of the inputs, i.e., testing each fc-bit vector (Xi [t : 
t ], . . . , Xk[t : £] ) , we can calculate the exact value of F(Xi, . . . , X^j [t : t], as well 
as the exact resulting local carries vector F| t+ i. Clearly, the oracle Pt+ 1(^,7) 
makes calls to F t (F 0 , 7 ), for various values of Fq. That relation is linear, and can 
easily be represented in a matrix form. For this purpose, let us introduce a one-to- 
one index mapping junction Index( F) : (<71 x <72 x . . . x o a ) — > 9 € [0 . . . 9 max — 1], 
as follows. 


Index( F) = ((cti • (CT 2m ax + 1) + 02 ) ■ (o- 3m ax + 1) + ct 3 ) • . . . 

0max = J^Cb'max + 1) = + !)• 

3 = 1 3= 1 

Now, F t (F, 7 ) for all F can be regarded as a vector ^Pt(Index -1 (0),7), . . . , 
P t (Index - 1 (0 max — l), 7 )j, also referred for simplicity as P t , for all the consec- 
utive valid tuples F. The transformation from P t to P t + 1 is a linear function, 
i.e., it can be written as 

P t+ 1 = M lAt x P t , (7) 

where M ^ t is some fixed connection matrix of size (# max x 0 max ), which, in 
general, is different for different t’s. It depends on the t th bits of the constants 
involved in F(-), and it also depends on the value of the f th bit 7 t from the given 
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7, since the oracle Pt+ 1(^,7) must satisfy 7 taken modulo 2 t+1 as well. If the 
input variables are O-truncated, then the only one vector F\ 0 = (0,0, ... ,0) of 
local carry values is possible, i.e., Po = (1 0 ... 0). Therefore, we assign the 
oracle Po to be just a zero vector, but Po(0,7) = 1. 

In this way, 2 n such matrices have to be constructed. However, in most cases 
this number is much less. The algorithm to construct matrices from (7) and then 
calculate (5) is given as follows. 

Theorem 1. For a given PLFM F(X 1, . . . , Xk), and a fixed 7 £ Zfy* , we have: 

Pr{P(X 1 ,...,X fe )= 7 }=^ r (l 1 ... l)x^ n 0 ... 0) T , (8) 


where M lt \ t are connection matrices of size (0 max x 0 max ), precomputed with the 
algorithm below. 


Algorithm: Construction of2n matrices M Jt \ t . 

1. Input: 

F(X 1, . . . , Xk) - a PLFM with a arithmetical terms Ai, each having 
operators ‘+ ’, correspondingly; 

2. Data structures: 

0ma.x = ntlitf + !)• 

-^{o,i}|t=[o...n-i][^max][^max] -2 n square matrices of size (0 m ax x0 max ), 
initialised with zeros; 

3. Precomputation algorithm: 
for f = 0 . . . n — 1 

Temporary set the constants from C to be just t th bit of the 
original ones, i.e., set {C \, . . . , Cf) = ( C\[t : t], . . . ,Ci[t : t]) 
for (Xi, . . . , X/^) £ {0, l} fe - (all combinations for the t th bits ofX’s) 
for 0 = 0... 0 max — 1 - (all combinations for 'F ) 

(oi, . . . , a a ) = Index - 1 (0) 

z Evaluate all /i, = a,; + Ai(X i, . . . , X n ), but in Ai substitute 

all sub terms Aj with the values ( /i j mod 2), correspondingly 
6’ = Index(/n div 2, . . . , /j. a div 2) - (a new resulting L>’ ) 

Evaluate the function / = P(-) mod 2, but substitute 
all terms Aj with the values ;ij , correspondingly 

M f \t[9'][0\ : = M f \ t [Q'][6\ + 1 

- Time Complexity: 0(n ■ 0 max • 2 fe ) 

- Memory Complexity: 0(2n ■ 0 ^ ax ) 

z Variables /m , which correspond to the terms Ai, should be calculated recursively. 
The deepest A term should be calculated first, and so on. 
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Below we give an example that demonstrates all the steps of the algorithm. 


Example 1. Let k = 3, n = 5. Assume that our goal is to calculate the probability 
Pr{F(X 1 ,X 2 ,X 3 ) = 10110 2 }, where: 


F(X 1 ,X 2 ,X 3) = {X 1 ffl (X 2 © (A, RX 2 m2f.))))© (.Y l AND X 3 ). (9) 


The first step is to cancel the operator B by (1), and by rewriting the ex- 
pression we get 


a 2 


F(X 1 ,X 2 ,X 3 ) = (X! + (X 2 ©(*! + ( NOT X 2 ) + 26))) 0 {X 1 AND X 3 ) . 


B 3 


The function F(-) is a PLFM, 
since it can be expressed in A 
and B terms, marked above (the 
S terms are simply elements from 
the set {X U X 2 ,X 3 ,26}). I.e., 
B x {X,C) = NOT X 2 
Ai(X,C) = X 1 +B 1 (X,C) + 26 



B 2 (X,0 = X 2 ®A!(X,C) 
A 2 {X,C) = X 1 + B 2 (X,C) 



1.6> max = (kt + + 1) = 3 • 2 = 6; 

2. for t = 0. . .4 

3. C = 26[t : £] 

4. for (Xi,X 2 ,X 3 ) € {0, l} 3 

5. for (<7i, <j 2 ) = (0 . . . 2, 0 . . . 1) 

6 . Hi = cti + X\ + ( NOT X 2 ) + C 

7 . p 2 = cr 2 + X\ + (JA2 © Hi mod 2) 

8 . / = {H 2 © (Ai AND X 3 )) mod 2 

9. Mf\ t [{Hi div 2) -2 + (^2 div 2)] 

[or • 2 + cr 2 ] + + . 

Applying Theorem 1 to construct 2 n 
matrices. 


B 3 {X,C) = A 2 (X,C) © (Ad AND X 3 ), where F(X 1 ,X 2 ,X 3 ) = B 3 (X,C). 
After all computations we receive the following matrices 


M 7 o= 0 |j =0 — 

/I 0 2 0 0 0\ 

0 50 00 0 

1 0 2 0 1 0 
0 1 2 20 5 
000 0 1 0 

\000 00 1 / 


M 7o = 1 |j =0 — 

/5 0 0 2 0 0\ 
0 1 0 00 0 
100250 
0 1 2 20 1 
000 0 1 0 
\000 00 1 / 


M 7l=0 |j =1 — 
/ 200000 \ 
000 00 0 
20 1 0 2 0 
2 2 0 5 0 0 
00 1 0 2 0 
\000 1 2 2 / 


M 7l = 1 1 4=1 — 
/0 2 0 0 0 0 \ 
000 00 0 
0 2 5 00 2 
220100 
00 1 00 2 
\000 1 2 2 / 


No need to construct the matrices for t = 2,3,4, because they will repeat as 
M* | t=2 = M* | t=0 and M* | t=4 = M* | t=3 = M*| t=1 . This happens since there are 
only two different combinations for any £ th “bit slice” of constants from the set 
C = {26}. In particular, for every bit t we have 26 [t : t] = 0 or 1 in step 3 in the 
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figure above. Finally, from (8) we calculate 

Pr{F(X 1 ,X 2 ,X 3 ) = IOIIO2 } = ^b(1 1111 1 ) x M 1]4 x M 0]3 x M 1]2 x 

xM 1 { 1 xM 0 |o x (1 0 0 0 0 0) T = ~ ■ 404 » 0.0123291015625. 

One can check this probability by the classical solution, trying all possible 
values for (Xi, X 2 , X 3 ) e Z| 5 and calculating the function F(-) directly from (9). 

Preparing the matrices requires 2 • 2 3 • 6 = 96 steps (2 values for t, 8 combi- 
nations for (Xj , X' 2 - X 3 ), and the number of different local carries is 0 max = 6); 
each step requires one function evaluation. To calculate one probability we need 
to make 5 multiplications of a matrix and a vector, which takes 5 • 6 2 operations, 
plus one scalar product of two vectors at the end, i.e., in total 186 operations. 
Calculating the complete distribution for all possible 7’s takes 2 5 • 186 = 5952 
operations in total. Note that the classical way requires 2 3 ' 5 = 32768 steps with 
the function evaluation each step. □ 

The second example presented in Appendix A is taken from the real cryptanaly- 
sis. In that example we, additionally, demonstrate a new trick and show how 
time complexity can be reduced even more than in Theorem 1. With a precom- 
putation, which usually takes a negligible time, the construction of the complete 
distribution can have a very small time complexity 0(6 rnax ■ 2"). That exam- 
ple also shows the advantage of using proposed technique as the computation 
complexity 2 96 from the classical solution is reduced down to 2 32 - 585 . 

3 Distributions of Functions with Arbitrarily Distributed 
Inputs 

The previous section assumed X\, X 2 , ■ ■ . to be uniformly distributed, allowing 
a combinatorial approach. In this section we consider Xl,X 2 ,. . . independent 
but with arbitrary distributions. Despite the ideas described in this section were 
partly mentioned in [15], we include them for completeness. 

Let us have a probability space Q of size q = \Q\ = 2” and two distributions 
Dx and Dy over 1? for two random variables X and Y, respectively. Given the 
distributions Dx and Dy we consider two major types of convolution, defined 

Dz = D x * Dy :=> 

Pr {Z = Z 0 }= Pr ( X = X o} • Pr {Y = Y 0 }, VZ 0 e Z 2 n , (10 ) 

VX 0 ,Y 0 C O : 

X 0 * Y 0 = Z 0 

where * is either ffl or ®. 

In both cases the time complexity to calculate the resulting distribution 
D z is 0(q 2 ), i.e., quadratic. Due to such a high complexity, many attacks in 
cryptanalysis deal with at most 16-18-bit distributions only. Nowadays, when 
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design of ciphers is often 32-bit oriented, it would be a challenging and useful task 
to perform a convolution of two 32-bit distributions, i.e., calculating T J r{X + Y = 
7 } for all 7 when X and Y have some arbitrary distributions. 

For notation purposes the distribution Dx will also be represented as a vec- 
tor of size 2" of probabilities as [Dx] = {px(Q),Px(A}- ■ • ■ ,Px( 2" — 1)}, where 
px(X 0 ) = Pr{X = X 0 }. 

Convolution over EH. If [Dx] and [Dy] are represented as two polynomials with 
coefficients from these two vectors, then the resulting vector [D z \ has coefficients 
of the product of the polynomials [ D x ] and [Dy]. Fast multiplication of two 
polynomials can be done via Fast Fourier Transform (FFT) [17], the complexity 
of which is 0(q\ogq) 2 . The convolution over EH can now easily be calculated as 

[D z ] = [D x ffl D y ] = FFT " 1 (FFT n ( [Dx ] ) • FFT „ ( [TV ] ) ) . ( 11 ) 

Convolution over ®. A similar idea can be applied to this type of convolution. 
Instead, we use Fast Hadamard Transform (FHT) [17]. 

FHT is a linear transformation of a vector of size 2". This transformation 
can also be done by a matrix multiplication H n x [V], where H n is a well- 
known Hadamard matrix. FHT, however, performs this matrix multiplication 
for time O(q\ogq = n ■ 2"), the same as FFT. In practice, however, FHT is 
much faster than FFT, since it does not need to work with complex and float 
numbers. Therefore, approximations of kind EH => ® are more preferable, than 
otherwise. Additionally, the implementation of FHT is extremely simple and 
small in C/C++, and we present it in Appendix C. 

Since FHT " 1 differs from FHT n by only the coefficient 2"", then the convo- 
lution over ® via FHT is computed as 

[Dz] = [D x ®D Y ]= i ■ FHT „ (FHT „ ( [Dx] ) -FHT „ ( [Dy] ) ) . (12) 

Finally, we point out that the convolution of a linear composition of k inde- 
pendent terms is derived as 

D(z=c 1 x 1 ®c 2 x 2 ®...®c k x k ) = ^ • FHT n (FHT n ([r> ClXl ]) • . . . • FHT„([i? c ,gj$ , 

where Ci are some constants. In practice, this also means that if these distribu- 
tion tables for X\, . . . , X/- are stored with precisions £1 , bits after point, 

respectively, then for probabilities of Z the precision of only £ = n + J2j= 1 
bits after point should be considered (or reserved) before the FHT procedure. 

In sections above several algorithms have been derived with good time com- 
plexities, which, in most cases, allow us to operate on large distributions. How- 
ever, memory complexity problems become to be the main concern for imple- 
mentation aspects. We have algorithms that operate with 32-bit distributions, 

2 The resulting polynomial [Dx] ■ [Dy] is of degree 2 q, but its powers have to be taken 
modulo q. It means that the second half just need to be added to the first half of 2 n 
coefficients, in order to receive [Dz]- However, this is done automatically when FFT 
of size q is applied to [Dx] and [Dy] directly. 
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but how to manage the memory? We present a possible solution in Appendix B, 
suggest our data structures for large distributions and show how typical opera- 
tions can be mounted. 

4 Application: 32-Bit Cryptanalysis of SNOW 2.0 

A stream cipher is a cryptographic primitive used to ensure privacy on a com- 
munication channel. The SNOW family is a typical example of word-oriented 
KSGs based on a linear feedback shift register (LFSR). SNOW 2.0 is an im- 
proved version of SNOW 1.0 aimed to be more secure and still more efficient in 
performance. The most powerful attack on SNOW 2.0 was presented by Watan- 
abe, Biryukov and De Cannie’re [18] in 2003. It is a linear distinguishing attack 
similar to the general framework presented in [19,20] and it requires a received 
keystream sequence of length 2 225 bits and has a similar time complexity. 

In this section we propose an improved attack on SNOW 2.0. Whereas the 
attack in [18] uses a binary linear approximation approach, the new attack is 
based on approximations of words, i.e., 32-bit vectors. This technique is more 
powerful and we get a reduction of the required keystream length to 2 202 . To 
make the calculation of 32-bit distributions possible we use our algorithms and 
data structures from Appendix B. 

4.1 A Short Description of SNOW 2.0 

The structure of SNOW 2.0 is shown in Figure 1. It has 128- or 256-bit secret key 
and a 128-bit initial vector. It is based on LFSR over F 2 32 [a:] and the feedback 
polynomial is given by 

-k{x) = ax 16 + x 14 + a~ 1 x 5 + 1, (13) 

where a is a root of the polynomial 

y i + p23 y 3 + ^245^2 + ^48 y + ^239 g ^ , ( 14 ) 

and /3 is a root of 

z 8 + 2 7 + 2 5 + 2 3 + ieF 2 [ 2 ], (15) 

The state of the LFSR is denoted by (st+ 15 , s t +u, . . . , s t ). Each s t +i is an el- 
ement of the field F 2 32. The Finite State Machine (FSM) has two 32-bit registers, 
R1 and R2. The output of the FSM F t is given by 

Fi = (s t+ !5 ffl Rlt) © R2 t , t > 0, (16) 

and the keystream z t is given by 

z t = F t ®st, t> 1. (17) 

Two registers Rl and R2 are updated as follows, 

-Rlt+i = sj+5 EE R2f, 

R2 t+1 = S'(Rl t ). 


(18) 
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where S"(IF) is a one-to-one mapping transformation S' : F 2 32 — *■ F 2 32. If a 32- 
bit integer W is represented as a vector of 4 8-bit bytes W = ( wq w\ u / 2 W3 ) t , 
then 


/ x x+1 1 1 \ 

( 5r[«;o] \ 

1 X x+1 1 

Sr[wi] 

11a; a; + 1 

5RM 

\a; + l 1 lx) 

\Sr[w 3 ]J 


(19) 


where Sr is the Rijndael 8-to-8-bit 5-box, and the linear transformation (matrix 
multiplication) is done in the field F 2 s with generating polynomial 


g(x)=x & + i 4 + i 3 + i + leF 2 [i], (20) 


4.2 Basic Idea Behind the New Attack 

The basic idea behind the new attack is to find such a linear combination of 
the output words Zi that is equal to 0 if the system is linear, or producing some 
biased noise if the system is approximated by a linear function. From the other 
hand, the linear combination representing the noise should be unbiased if the 
given sequence is truly random. 

Consider the feedback polynomial of the LFSR given in equation (13), i.e., 
n(x) = ax 16 + a: 14 + a~ 1 x 5 + 1. A similar relation holds for the LFSR’s output 
St at any time t, i.e., 


St+16 © 01 1 Si-pU © St+2 © OLSt — 0, t > 1. 


(21) 
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Next we make an approximation of the FSM to make it look linear. For any 
time t > 1 two output words z t and z t +i can be expressed as 

f Zt = St ® (-R1 ffl St+ 15 ) ® R2 , , 

\ z t+i = St+i ® S'(Rl) ® (R2 EH St +5 ffl s t+i 6 )- 

Let us substitute EH — * ® and change S' ( R) — > R. Then the sum z t ® z t + 1 is 
expressed as 

z t © z t+i = St ® (-R1 ® St +15 ® N C 2(R1, St+ 15 )) ® R2 
®s t+1 ®(Rl®N s (S'(Rl),Rl)) 

®(R2 ® St+5 © s t+i 6 © N c :i {R2. Sj+ 5 , st+m)) 

= St © St+1 © s t+5 © s t+15 © s t+16 © No(t), 

where N 0 (t) is a variable representing the error introduced by the linear ap- 
proximation in time t, 

No(t) = N c2 (R1, S t . ir> )e Xs(S'(R\). R\) ® N c 3 (R2, s t+5 , s t+ i 6 ). (24) 

Here iV C 2 (.Rl, St+ 15 ) is a noise random variable introduced by the approxi- 
mation of the modulo sum of two variables of the following kind “R1 EB St +15 — * 
R10§t+i5 © N c 2 ” . The variable N c3 ( R2 , st+ 5 , St+ie) is a similar approximation 
noise, but for the modulo sum of three variables. Finally, Ns(S'(Rl), Rl)) is the 
noise variable from the approximation “S' (HI) — > HI ® Ns” ■ Let us derive a 
linear relation, based on ( 21 ). 

0 q = \st+16 © OL 1 St+ll © St+2 © OlSt) ® (St+17 ® OL 1 St+12 ©t+3 ©CKSt+l) 

© (Si+21 © OL 1 Sj+i 6 © St+7 © aS t+5 ) ® (St+31 © OL 1 St+26 © St+17 
aSt+15) © (st+32 © OL~ 1 S t + 27 © St+18 © OfS t+ i 6 ) 

= (St+16 © St+n © St+21 © St+31 © St+32) © OL~ 1 • (s i+ u © S t +12 

s t+16 © St+26 © Sj+ 27) © («t+2 © St+3 © $t + 7 © Sj+ 17 © St+18) 

OL - ( St © St+1 © s t+5 © s t+15 © s t+16) 

q — \zt + 2 © Zt + 3 © Zt+1G © z t+n) © OL 1 • (^t+ll © ^+ 12 ) 

© ol • ( Zt © z t + 1 ) © {No(t + 2 ) ® No(t + 16)) ® ol 1 • No(t + 11 ) 
©a-iVo(f) = Z(i)®N(f), 

where N(t) is the 32-bit total sum of noise variables introduced by several ap- 
proximations, expressed as N(t) = (Af 0 (t+2)®Af 0 (t+16))®Q! _1 •N 0 (t+ll)©a- 
iVo(t), and Z(t) is the “known” part calculated from the output sequence at any 
time t, Z(f) = (z t+ 2 © z t+3 © z t+ 1 6 © z t+17 ) ® a~ 1 (z t+ n ® z t+ i 2 ) © a(z t ® z t + 1 ). 
Obviously, N(t) ® Z (t) = 0. 

After all, a linear distinguishing attack can now be performed, if we know 
the distribution Bn of the 32-bit noise variable N. For a sufficiently large num- 
ber of received symbols from either the random distribution ^Random, or the 
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distribution of the noise D n, one can construct the type (or empirical distribu- 
tion ) Z?Type- We then make a decision whether the stream comes from a truly 
random generator or from the cipher, according to the distances from Dxype to 
Z?n and -DRandom- Note, the 32-bit noise distribution definitely contains the best 
binary approximation found in [18], but, clearly, it also contains some additional 
information, which makes the bias of the noise larger. 

We will explain this procedure more in detail in the full version of the paper, 
but since this is a standard hypothesis testing we simply refer to e.g., [9,21]. 

4.3 Computational Aspects 

To calculate the bias of the 32-bit noise variable N, its distribution table has to 
be constructed. It can be calculates via the distribution of No, expressed in (24) 
3 . To construct the distributions of N c 2 and N c 3 we use Theorem 1 (PLFM con- 
struction). The expression for Ns is a function on one variable, i.e., it takes no 
more than 0(2 32 ) operations to build the distribution Dm s . Next, the distribu- 
tion of No is calculated via FHT with the algorithm from Section 3 (convolution 
over ®) and Appendix B (FHT for large distributions). Afterwards, the distribu- 
tion ofa-iVo and or 1 ■ No was computed using algorithms described in Appendix B 
(function evaluation). Finally, we again use FHT to calculate the distribution of 
the total noise variable Dn. and then calculate the bias e = |Z) N — ^Random | ■ 

All these operations took us less than 2 weeks on a usual Pentium IV 3.4GHz, 
2Gb of memory and 256Gb of HDD. 

4.4 Simulation Results and Discussions 

At the end of our simulations we received the distance e = |_D N — DRandom M 
2 -101 , which means that SNOW 2.0 can be distinguished from random with the 
known keystream of size 2 202 , and with a similar time complexity. The advantage 
of our attack is presented in the following table. 


Attack on SNOW 2.0 bit(s) considered 

bias (e) 

complexity 

Watanabe et. al. [18] 1 

2-112.25 


our attack 32 

2 -101 

2202 


For future research work on this topic it is left to note that the expres- 
sion for the noise variable N(f) (25) contains two parts: N c o(R2 t , s t + 5 , s t +w) 
and A C 3(iZ2 t+ n, s t+ i6, st+27), which, in our simulations, were considered as in- 
dependent. However, since they both use the same input .s t +i6. they are not 
really independent and, theoretically, the result should be slightly improved if 
one consider them as dependent. 

3 We adopted the data structures from Appendix B for our simulations as follows: we 
use 2 10 files, each containing 2 22 points of a sub distribution. Since the precision of 
the probabilities have to be at least 2“( 192 ' 4+32 ) (four noises No, each containing Ns 
with precision 2 -32 , N c 2 with precision 2 -64 , and N c 3 with precision 2 -96 ; plus 32 
bits must be reserved for FHT), each cell has to be of size at least 100 bytes. I.e., 
each sub distribution in the memory takes at least 400Mb. However, this estimate is 
conservative, and in our simulations we used almost 2Gb of operation memory. 
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5 Results and Conclusions 

In this paper we have proposed new algorithms for computation of distributions 
of certain functions where the input variables are from a large alphabet. In the 
case when the input variables were uniformly distributed, the distribution for 
a class of functions called PLFM was shown to be efficiently calculated. The 
second case considered the same problem but for arbitrary distribution of input 
variables. Efficient methods of calculating the distribution of sums of variables 
both in Z 2 - and F 2 - were proposed, based on Fast Fourier Transform and Fast 
Hadamard Transform, respectively. 

The cryptologic applications of the results were demonstrated by extending 
the linear cryptanalysis of the stream cipher SNOW 2.0 to work over a larger 
alphabet. We believe that there are many instances of stream ciphers as well 
as block ciphers, where cryptanalytic results can be improved by considering 
analysis over a larger alphabet. In all these cases, the algorithms derived in this 
paper will be essential for calculating the performance of such attacks. 

We also believe that the technique considering “local carries” presented in 
algorithms for PLFMs can easily be transformed for finding one or even all solu- 
tions for equations like F(X i, . . . , X]f) = 0. Finding solutions for other kinds of 
equations, including F(X i, . . . ,Xk) = 7 and systems of equations, is obviously 
converted to finding one or all solutions for an equation of the first kind. Conse- 
quently, many properties of PLFM functions can be derived, similarly as it was 
done for smaller classes in, e.g., [11,12,14]. More details will be included in the 
extended version of this paper. 

A few open problems can be mentioned. Clearly, we would like to find other 
classes of functions where we can compute the distribution efficiently. Also, we 
would like to find further instances of existing ciphers where linear attacks over 
larger alphabets are applicable. 
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Appendix A: Second Example from Real Cryptanalysis 

Example 2. Let us have k = 3 uniformly distributed independent random vari- 
ables X\,X 2 , X 3 £ Z232, i.e., n = 32. Assume in some cryptanalysis we perform 
a linear approximation Xi EB X 2 EEI X 3 — > Xi ® X 2 © X 3 ® N where N is a 
noise variable introduced due to the approximation. The task is to find the bias 
e of the noise variable N. 

The expression for N is: N = {Xi + X 2 + X 3 ) © X\ 0 X 2 ® X 3 mod 2 32 , 

A 1 

B\ 

which is a PLFM with only one A term. The maximum carry-bit index value is 
Smax = (fc/ + 1) = 3. Since no constants are involved all matrices M* | t for all t’s 
are the same. Hence, only two matrices M 0 1 0 and Mi | 0 have to be constructed, 
using Theorem 1. 

/40 0\ /010\ 

M 7o=0 | t=0 = 40 4, M 7o=1 , t=0 = 0 6 0. (26) 

\00 4/ V 010 / 

The probability Pr{7V = 7} can now be calculated efficiently. For example, 
Pr{AT = 7 = 0x72A304F8} = ^(1 1 1) x (n^„ , , 0 ) x (1 0 0) T = 

25B- • 2187 • 2 51 « 0.266967773/2 32 . Note that the probability for an odd 7 is 0. To 
calculate one probability the number of 32 • 3 2 + 3 = 291 operations is required. 
Hence, to calculate the complete distribution would take 291 • 2 32 operations. 

However, this time com- 
plexity can be reduced sig- 
nificantly with specific data 
structures use, which we call 
“fast-tables”. Each table is 
of size 2 16 entries, which 
contain 3-dimentional vec- 
tors. These tables are pre- 
computed as shown in Fig- 
ure on the right. This pre- 
computation requires 2 16 -2- 
3 2 = 9 • 2 17 operations. The 
advantage is that any prob- 
ability can now be derived 
as just one scalar product 

Pr{AT = 7} = ^32 • <FastT[0][7i 5 . . .70], FastT[l][7i 6 . . .731] > 4 , (27) 

which takes only 3 operations (instead of 291). Finally, the bias e can be derived 
as follows: 

4 Note, the input for FastT[l][-] is bit-reversed. 


1. Data structures: 

FastT[2][0 . . .2 16 — 1] - two ‘fast-tables’ 

2. Initialisation: 

FastT[0][0] = (1 0 0), FastT[l][0] = (1 1 1) 

3. Precomputation of the tables: 
for t = 0 ... 15 

for x = 1,0 {note, the order is backward) 
for Y = 0 ... 2* — 1 

z FastT[0] [x\\Y t ] = M x , t xFastT[0] \Y] 
FastT[l][®||y t ] = FastT[l][F]xA/ x . „ , , 

Fast-tables precomputation algorithm. 


z Y t is a /-bit value of Y. I.e., in C/C++ it would 
look like: (s|[*»)=Kx«t)|Y 
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1. e = 0.5 (the bias for odd values of 7) 

2. for 7 = 0 . . . 2 31 — 1 (only even 27 ’s are considered) 

3. e+= |Pr{AT=27}-2- 32 | 

The total time for this solution is the following sum: 2 • 2 3 • 3 = 48 - to 
compute matrices, 9 • 2 17 - to precompute fast-tables, and 3 • 2 31 - to calculate 
the bias e. In total 6443630640 w 2 32 " 585 number of operations is required. To 
calculate the distribution of the noise variable N the same number of operations 
is needed, whereas the classical solution requires 2 96 operations. Note, when the 
question is only to find the bias e for some large distribution with memory limits 
conditions, the classical solution will fail with respect to the memory limits. □ 

Appendix B: Data Structures for Large Distributions and 
Operations 

B.l Data Structure Proposal 

Assume we want to operate on a distribution of size 2”, but, however, the op- 
eration memory allows us to work only with a distribution of size at most 2 m , 
where m < n. If this is the case, to be able to work with large distributions of 
size 2” we then propose to use hard disk memory (HDD). Let 

r = n — m, 

then one need to create 2 r files on HDD, which we denote as FileL to 

store one distribution table. The upper parameter r denotes the number of files 
to be created (2 r ), and the index on the bottom is the selector of a particular file. 
Sometimes we will write also File^-.^ to show that this is the sub distribution file 
A for the random variable X. Each file stores the corresponding sub distribution 
of size 2 m . I.e., the probability Pr{X = Xq} can be accessed by 

Pr{X = Xo} = File^ :(Xo[m: „_ 1]) [X 0 mod 2™]. (28) 

Note that the upper r = (n — m) bits select the file, and the lower m bits are 
the cell index in the sub distribution. 

The operation memory is regarded as a fast memory , whereas the HDD 
memory is regarded as a very slow memory. Working with such data structure 
frequent access (loading and saving) to the files on HDD should be avoided, since 
these operations are extremely much slower than an access to the memory. I.e., 
the most operations have to be done in the operation memory domain, and the 
number of access to the files has to be reduced as much as possible. In the next 
parts of this Appendix we present efficient solutions to apply common algorithms 
when operating on large distributions with the proposed data structures. 

B.2 A PLFM Distribution Construction 

For a given pseudo-linear function F(-) modulo 2" its distribution can be con- 
structed as follows. 
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1. for A = 0...2 r -1 

2. load sub distribution SubDist[-] <— FileJ^ 

3. calculate the vector v = (1 1 ... 1) X 

4. for B = 0...2 m 

5. SubDist[B]=Pr{F = AB} = v x (Ut=m-i x (1 0... 0) T 

6. save sub distribution File(^<— SubDist[-] 

This algorithm requires to access each file once. Additionally, the steps 3 and 5 
could be done more efficient with precomputed fast-tables (see, e.g. Appendix A). 

B.3 A Function Y — F(X) Evaluation Distribution 

Let us have a distribution D x of a random variable X, stored in data structures 
as suggested before. Let us also have a function defined on one variable F(X). We 
need to construct the distribution of Y = F(X') in an efficient way. As an exam- 
ple, this function could be a multiplication a-X in some finite field, a permutation 
of X, a multiplication on a matrix, or some other function on X in general. 

One could take the values of X consecutively, and then each time calculate 
Y. The problem appears when the consecutive values Y should be stored in 
different files. It could happen that we need to access the F’s files 0(2") times, 
which is expensive in time. 

We suggest the following algorithm containing three stages. In the first stage 
the function is evaluated and the resulting Y' s are separated into two files (bins), 
according to the upper bit value. In the second stage we perform binary sorting 
algorithm, each time dividing each bin into two new bins. The third stage accu- 
mulates probabilities from the bins and transfer the resulting sub distributions 
to the data structures of Y (files). 

Stage I: Evaluate Y = F(X) and separate into two files (narrowed distribution) 

1. create two files (bins) /o = *Filey.^ 0 j and /i = *Filey. ( . 1 ^ 

2. for all A = 0...2"- m - 1 

3. load sub distribution SubDistx [•] <— File^.^ 

4. for all S = 0...2 m -1 

5. Evaluate Yq = F(A\\B) 

6. Save the pair /y 0 [„-i: n -i] <— (SubDistx[-B] , Lo) 

7. close the files /o and fi 

Stage II: Expand the files *Filey.^ Ai ^ — > *File|^ A2 ) *File'(,. ( < /l ^ 

1 . for k = 1 . . . r — 1 

2. for all A = 0...2 fc - 1 

3. open two files / 0 = ‘Filey‘S 0) and fi = *File^+ ( 1 A || 1) 

4. while ( not the end of the file *File^>.^ ) 

5. read the pair (p,Yo) <— *Filey.^ 

6. save the pair f Yo [n-k-i :n -k-i] {P; Lb) 

7. close the files /o and fi 
Stage III: Construct File^.^j from *File^.^ 
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1 . for all A = 0 . . . 2 r 

2. clear SubDisty[0 ... 2 m — 1] 

3. while ( not the end of the file *File^.^ ) 

4. read the pair (p,Yo) <— *File^ A ) 

5. SubDistv[Fo]=SubDistv[Fo]+p 

6. save sub distribution Filey. SubDisty- [•] 

The complexity of this algorithm is 0(( 1 + r) • 2”). However, the coefficient r 
in the complexity can be reduced with a small programming trick. If at the step 
II. 3 we, instead, open 2 d files (in Windows at most 2 9 files can be open at the 
same time), and perform not a binary sorting but a d-tuple bits sorting at once, 
then the complexity will be reduced to 0((1 + r/d) ■ 2"). For example, if the 
number of files is 2 16 (r=16), then with d = 8 we can compute the distribution 
of any function F(X) by reading and storing distributions of size 2” from the 
files only 3 times (instead of 17). 

Note that in the implementation of FFT the first operation is the construc- 
tion of the distribution D Rev ( X ) for the bit reverse of the random variable X, 
which is just a sub case of the general problem of this sub section. We simply 
define the function Y = F{X) such that Y is the bit-reverse of X, and apply 
the algorithm above. There are other more nice and efficient solutions for this 
particular problem, but we only mention their existence. 

B.4 Convolution over © 

To perform a convolution over ® we need to be able to perform FHT on the 
proposed data structures. We propose a modified FHT algorithm, where first 
local FHTs for sub distributions are separately performed, and then evaluate 
the “convolution” over the files as follows. 

1 . for A = 0 ... 2 r - 1 

2. load sub distribution SubDist[-] <— File)^ 

3. FHT (m , SubDist) 

4. save sub distribution File)^ <— SubDist[-] 

5. FHT*(r, NULL) — the same FHT as before but with another 

butterfly function bfly*(j+k, j+k+(l«i)). 

The modified butterfly function bf ly* is 

1. bfly*(A, B ) 

2. load SubDisti[-] <— File^ and SubDist 2 [-] <— File^ 

3. for i = 0 . . . 2 m — 1 

4. bf ly (SubDisti[i] , SubDist 2 [*]) 

5. save File')'^ <— SubDisti[-] and File)’^ <— SubDist 2 [-] 

This algorithm requires to load/save each file r = n — m times. The modified 
butterfly function bf ly* can also be implemented memoryless. It can read one 
value from Filej' 4 j and one value from File^, perform the usual butterfly oper- 
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ation and save the results back to the files immediately. There are two additional 
ideas to accelerate the FHT evaluation: 

(a) In steps 3 and 4 of the algorithm above only two files are processed. Instead, 
we could have a larger block of 2 d files opened and processed at the same time. 
The calculation of the batterfly function on two probabilities SubDisti [<] and 
SubDist 2 [i] can be substituted by a ‘local’ FHT on 2 d inputs, instead. Since 
the size of each file is 2 m , we need to repeat this procedure 2 m times for each 
group of 2 d files (inputs are taken in parallel from a group of 2 d files opened at 
the same time, but the number of such parallel inputs for each group is 2 m ). 
As the result, each file is accessed around (r + l)/d times; 

(b) The computation can also be splittet into 2 C independent processes (2° com- 
puters), and then the results can be merged together afterwards. 


B.5 Convolution over EH 

A convolution over EH on the suggested data structures can be done in a similar 
way as for ®. In the first step we perform the bit reversing operation on the input 
distribution, as described in Appendix B.3. Afterwards, we use the same idea as 
in the previous sub section, based on the parallel FFT circuit. The description 
of the parallel FFT circuit can be found in the book [17]. 

Appendix C: Efficient FHT Implementation in C/C++ 


Fast Hadamard Transform (FHT) implementation in C/C++ 
// butterfly operation 

template<class T> void inline bfly (T &a, T &b) 

{ T tmp; tmp=a; a+=b; b=tmp-b; } 

// FHT„ , size of the input distribution is 2” 
template<class T> void FHTfint n, T *Dist) 

{ for (int i=0; i<n; ++i) 

for (int j=0; j<(l<<n); j+=l<<(i+l) ) 
for (int k=0 ; k<(l<<i); ++k) 

bfly (Dist[j+k], Dist [j+k+(l«i)] ) ; 

} 
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Abstract. The XSL “algorithm” is a method for solving systems of 
multivariate polynomial equations based on the linearization method. It 
was proposed in 2002 as a dedicated method for exploiting the structure 
of some types of block ciphers, for example the AES and Serpent. Since 
its proposal, the potential for algebraic attacks against the AES has been 
the source of much speculation. Although it has attracted a lot of atten- 
tion from the cryptographic community, currently very little is known 
about the effectiveness of the XSL algorithm. In this paper we present 
an analysis of the XSL algorithm, by giving a more concise description 
of the method and studying it from a more systematic point of view. We 
present strong evidence that, in its current form, the XSL algorithm does 
not provide an efficient method for solving the AES system of equations. 

Keywords: XSL algorithm, T' method, Linearization, AES. 

1 Introduction 

In 2002 Courtois and Pieprzyk showed that recovering an AES encryption key 
was equivalent to solving a large system of multivariate quadratic equations over 
a small finite field [10,11]. They exploited the fact that the only non-linear com- 
ponent of the cipher (the S-Box) is based on the inverse map over the finite field 
F 2 s, and were able to obtain a set of multivariate quadratic equations that com- 
pletely described the S-Box transformation. By combining all equations through- 
out the cipher, they were able to express the full encryption transformation as 
a large, sparse and overdefined system of multivariate quadratic equations over 
F 2 (in total 8000 equations with 1600 variables for the AES with 128-bit keys). 

The problem of solving systems of multivariate quadratic equations over a 
finite field is known to be NP-complete, and it is widely believed that the com- 
monly applied techniques (such as Grobner Basis algorithms) cannot generally be 
used for efficiently solving systems with more than a handful of variables. How- 
ever the system derived from the AES is very structured, and the hope is that a 
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dedicated method can exploit this rich structure. With that in mind, a method 
called XSL was proposed in [10,11], which it was claimed could provide an effi- 
cient way to recover the encryption key for certain types of block ciphers. Accord- 
ing to the estimates presented in [10] , with the XSL algorithm one could mount 
a (at least theoretical) successful attack against the AES with 256-bit keys. 

Around the same time, Murphy and Robshaw [13] showed how to express 
the AES encryption as a far simpler system of equations over F 2 s. It was noticed 
then that, if XSL worked as predicted, this system should be easier to solve than 
the original one over F 2 , and in theory could provide an efficient attack against 
the AES with 128-bit keys [13,14]. 

Since the introduction of the XSL algorithm, the potential for algebraic at- 
tacks against block ciphers (and in particular the AES) has been the source of 
much speculation. Although it has attracted a lot of attention from the crypto- 
graphic community, currently very little is known about the effectiveness of the 
XSL algorithm, and of algebraic attacks in general, against block ciphers. 

In this paper we present an analysis of the XSL algorithm. Based on our 
results we conclude that, as presented in [11], the XSL algorithm should not 
provide an efficient method for solving the AES system of equations. 

2 Linearization Methods 

The XSL algorithm was introduced in [10,11], and it is derived from an earlier 
algorithm called XL [8]. The XL algorithm and its many variants [7,9,11] are all 
based on the method of linearization, a well-known technique for solving large 
systems of multivariate polynomial equations. In this method we consider all 
monomials in the system as independent variables and try to solve it using linear 
algebra techniques. Note that the linearization method can only be successful if 
the number of linearly independent equations is approximately the same as the 
number of monomials in the system. The XL algorithm and its variants attempt 
to generate enough equations when this is not the case. 

The XL is a simple algorithm: if we consider a system of m quadratic equa- 
tions and n variables over a finite field K, 

= 0 , ... , f m (x x n ) = 0, (1) 

the algorithm simply multiplies the original equations by all monomials Mi up 
to a prescribed degree D — 2, and attempts to solve the system of all resulting 
equations 

Mi- fj(x u ...,x n ) = 0 (2) 

of degree at most D by linearization. 

Although not fully understood when first introduced, currently there seems to 
be a much better understanding of the behaviour of the XL algorithm, including 
its merits and limitations [1,2,3,4,12]. In particular it has been shown that some 
of the heuristics used in deriving the complexity of the XL algorithm [8] were 
too optimistic [12]. 
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The XSL algorithm works slightly different. Whereas in the XL algorithm 
the equations are multiplied by all monomials up to a certain degree, in the XSL 
algorithm the equations are multiplied only by “carefully selected monomials” . 
The goal here is to create fewer new monomials when generating the new equa- 
tions. Additionally, there is a last step (called T' method), in which we try to 
obtain new linearly independent equations without creating any new monomials. 

Analysis of the XSL algorithm does not seem to be an easy task, and currently 
very little is known about its behaviour. There are a number of reasons for this. 
Firstly, XSL can be considered an ad-hoc method, and the algorithm relies on 
the system presenting a somewhat special form, such as having “S-Boxes” with 
overdefined system of equations, repeated layers of linear equations, and so on. 
Secondly there are different versions of the algorithm (two attacks are given 
in [10], which are substantially different from the attack proposed in [11]), and in 
all cases, the description given leaves some room for interpretation. Furthermore, 
given the size of the systems involved, it is very difficult to implement and run 
experiments even on small examples to verify the heuristics in [10,11]. 

In the following sections, we give a more concise description of the XSL 
algorithm and study it from a more systematic point of view in an attempt to 
get an insight into the algorithm and better understand its behaviour. 

3 The XSL Algorithm 

There are different versions of the XSL algorithm. The first version was proposed 
in [10] , where two different attacks were described: the first one eliminating the 
key schedule equations (but requiring a number of plaintext-ciphertext pairs), 
and a second, more specific attack, that used the key schedule equations (and 
should work with a single plaintext-ciphertext pair). Later a different version 
of the algorithm was introduced in [11] (called “compact XSL”). Only the first 
attack was described in [11], although it is straightforward to extend the method 
to the second attack. 

In this paper we concentrate on the “compact XSL” algorithm. Although the 
algorithm can in theory be applied to a number of block ciphers, our analysis is 
focused on the AES, and we take into account the special structure of the systems 
derived from this cipher. The systems used are over F 2 and always include the 
key schedule equations (i.e. we perform the second XSL attack). 

The XSL algorithm, as described in [11], is supposed to work only on special 
types of ciphers; it assumes that the cipher is built with layers of small S-Boxes 
interconnected by linear key-dependent layers. The S-Box is such that it can 
be described by an overdefined set of quadratic equations. To apply the second 
attack (i.e. including the key schedule), the key schedule needs to have a similar 
structure to the encryption (which is the case for the AES). 

The XSL algorithm consists of four main steps: 


1. Process the existing set of equations, by choosing certain sets of monomials 
and equations that will be used during the later steps of the algorithm. 
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2. Select the value of the parameter P, and multiply the chosen equations by 
the product of P — 1 selected monomials. This is the “core” of the XSL 
attacks and should generate a large number of equations whose terms are 
the product of the monomials chosen earlier. 

3. Perform the T' method, in which some selected equations are multiplied by 
single variables. The goal is to generate new equations without creating any 
new monomials. Iterate with as many variables as necessary until the system 
has enough linearly independent equations to apply linearization 1 . 

4. Apply linearization, by considering each monomial as a new variable and 
performing Gaussian elimination. This should yield a solution for the system. 

In the following sections we describe the first three steps, in an attempt to 
better understand the behaviour of the XSL algorithm. During our analysis, we 
illustrate the working of the algorithm on a small variant of the AES defined 
in [5]. The cipher used (denoted by SR(3,1,1,4)) has a 4-bit block and 3 rounds, 
and its operations are over the field F 2 4. We note however that this small cipher 
is used only to assist the understanding of the algorithm’s various steps; all 
results obtained are valid for the full AES, and we always present figures for this 
cipher. We use the following notation throughout this paper (similarly to [11]): 


B: number of S-B( 


n each encryption round; N r : number of encryption rounds; 


R: set of all equations; 

£ : subset of 1Z consisting of all L.I. equations; 

T : set of all monomials in the system; 

T{: set of monomials in the system such 
that Xi ■ PI C T; 

t : number of monomials in the S-Box equations; 

t': number of monomials in the S-Box equations to be used in the T' method; 

L: number of subsets of linear layer equations; S: total number of S-Boxes; 

S m ■ number of encryption S-Boxes; Sk- number of key schedule S-Boxes; 

fo: number of neighbouring S-Boxes for equations in the subset i; 

Ifi,: number of columns in the data array; N a : number of rows in the data array. 


R: cardinality of 1Z\ 

E: cardinality of £ ; 

T: cardinality of T ; 

T'\ cardinality of T(\ 

s: number of bits on the S-Box; 

r: number of equations in an S-Box; 


4 Step 1 - Processing of the Original Set of Equations 

The processing method suggested in [11] is that for every S-Box, a basis of 
t — r monomials is chosen and the remaining r monomials are written as linear 
combinations of the elements of the basis. Furthermore, the basis should be 
chosen such that the variables (i.e. monomials of degree 1) are not in the basis, 
and the constant monomial 1 is in the basis. 

For the AES, we have r = 24 and t = 81, so each S-Box has a basis consisting 
of 57 monomials. If we denote by Wij and Xij the j th bit of the input and output 
of the i th S-Box respectively, we can choose our basis such that it consists of the 

1 The T' method has also been proposed as the final step of the XL algorithm, in the 
so-called XL2 method [9]. 
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monomials XijWik, with j 7 ^ k, and 1. In our small example, we have r = 12 and 
t = 25, so after this processing the S-Box equations would be given by 

' W10 +W10®11 + WllXlo + W11X12 + Wl2aU0 + Wl3*ll + 1 

W11 +wio*n + W10Z13 + wiia;i 3 + W12Z10 + ^12*13 + wi 3 ®io + W13Z11 
W12 +wio*n + W10Z12 + W12Z11 + W12Z13 + W13Z10 + wi 3 *n 

W13 +wioa;ii + wioa:i2 + wio*i3 + wn^io + wiia:i3 + ^12*10 + Wi2a?i3 + wi3a;io 
®io +uuo*n + wio®i2 + wnauo + W11X13 + W12X11 + 1 
*11 +uuo*i2 + W10X13 + wnauo + W11X13 + wi3®io + wi3®n + W13Z12 
*12 +W 10 K 13 + W 11 X 10 + W 11 X 12 + W 11 X 13 + W 12 X 10 + UU3*12 

X13 +wio®ii + W10Z12 + wio*i3 + wuxio + wi2a:io + wi3®io + wi3a;ii + Wi3a;i2 

wioaiio +wioa;ii + wnauo + ^ 12*13 + Wi3a;i2 + 1 

uuiaui +wioa;i2 + wio*i3 + t»nxi2 + W12X10 + W12X11 + W12X13 + W13X10 + W13X12 
W 12 X 12 +wioa;ii + W 11 X 10 + W 11 X 13 + ^ 12*13 + wi3®n + Wi3a;i2 
k Wi3a;i3 +W 10 K 13 + W 11 X 12 + wi2a;ii + wi3a;io, 

and the basis would be given by 

{ WiOXll,W W Xi 2 ,W W Xi 3 , W 11 X 10 , WuXi 2 ,WnXi 3 , 
Wi 2 Xio,Wi 2 Xii,Wi 2 Xi 3 , W 13 X 10 , 1013*11, 1013*12, 1 }• 

The set consisting of the monomials in the bases of all the S-Boxes is used to 
multiply the remaining equations in the system (the linear layer equations) in 
step 2 of the algorithm, while the S-Box relations are used to carry out substitu- 
tions in the linear layer equations (Section 5). One of the main ideas of the XSL 
algorithm is that during the attack the equations are always expressed as sum 
of terms that are the product of monomials in the bases of P different S-Boxes. 

When performing the second XSL attack, we need to do the same processing 
with the key schedule S-Boxes. In this case we denote by % and sy the j th bit of 
the input and output of the i th key schedule S-Box, respectively. Similarly to the 
encryption S-Boxes, we choose our basis such that it consists of the monomials 
kijSiki with j ^ k, and 1. We note however the key schedule has a slightly 
different structure from the encryption, such that not every key variable goes 
through an S-Box. The suggestion in [10] is that we should introduce the so- 
called “artificial S-Boxes” , with the necessary variables and no equations. We find 
this a unnecessary and somewhat cumbersome step, which makes our analysis 
a bit more complex. In particular, it is harder to derive accurate figures for the 
number of monomials and equations in the resulting system. In our opinion it is 
better to rewrite the key schedule system such that these “artificial S-Boxes” are 
no longer required (see Appendix A). Either way, the chosen form for the key 
schedule equations should not be relevant in the analysis that follows and does 
not have any significant influence on the complexity of the attack described. 

The linear layer equations (from the encryption and the key schedule) are the 
equations that will be used directly in step 2 of the algorithm. Each equation 
(called “active equation”) will be multiplied by monomials of the basis from 
some (P — 1) different S-Boxes (called “passive S-Boxes”). The S-Box relations 
are not explicitly used in the algorithm, but rather in an indirect form. The 
linear layer equations are linear in the many variables of the system, and these 
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variables are not in the basis of any S-Box. Thus the XSL algorithm requires 
us to substitute the variables by their expressions as linear combination of the 
monomials from the corresponding S-Box basis prior to multiplication. Again, 
the idea of the XSL algorithm is that during the attack the equations are always 
expressed as sum of terms that are the product of monomials in the bases of the 
S-Boxes. For example, in our small cipher the initial key addition operation is 
expressed by the following subsystem: 


! Po + wio + koo 
pi + wii + koi 
P2 + Wl2 + ko2 
P3 +W13 +k 0 3, 


(3) 


where the Pi variables correspond to the plaintext values. After performing the 
substitution of the monomials Wij and koj by their respective expressions from 
the corresponding S-Boxes bases, the subsystem (3) is written as: 


PO +*010*11 + WllXlO + 1011*12 + 1012*10 + 1013*1#: 

+koo sqi + koisoo + koiSo2 + ko2 soo + ko3-soi , 

pi +W10*11 + 1010*13 + 1011*13 + 1012*10 + 1012*13 + 1013*10 + 1013*11 + 

+fcooS01 + kooS03 + &01S03 + &02S00 + ko2So3 + k()3S00 + ko3Soi, 

P2 +1010*11 + 1010*12 + 1012*11 + 1012*13 + 1013*10 + 1013*11 + 

+fcooS01 + koo ^02 + ko2Soi + ko2So3 + ko3SoO + fco3S01, 
p 3 +1010*11 + 1010*12 + 1010*13 + 1011*10 + 1011*13 + 1012*10 + 1012*13 + 1013*10 + 
+fcoOS01 + koo S 02 + koo S 03 + koisoo + koiSo3 + ko2 Soo + ko2SQ3 + ko3SoO- 


The processing above is performed on all equations arising from the linear 
layer system (including the key schedule). This results in ( N r + 1) • B ■ s + K e 
quadratic equations over F 2 , with 2s • S variables and S ■ (t — r — 1) monomials 
(excluding the constant monomial), where K e is the number of key schedule 
equations and S is the total number of S-Boxes in the cipher. In our small 
example 5 = 6 and K e = 8, so we have 4 • 1 • 4 + 8 = 24 equations on 48 variables 
and 72 monomials. For the AES-128, we have S = 10 • (16 + 4) = 200 and 
K e = 192. Thus there are 1600 equations, 3200 variables and 11200 monomials 
(Appendix A). 


5 Step 2 - Multiplying the Equations 

In this step, the attacker selects the value of the parameter P (refer to [11] on 
how to compute P), and then multiplies each of the equations derived from the 
cipher linear layer after the substitution described above by the product of (P—1) 
monomials from different S-Boxes. Only the monomials in the bases are used. 
To ensure that the equations generated contain only terms that are the product 
of monomials from P different S-Boxes, a few neighbouring S-Boxes need to be 
excluded (i.e. S-Boxes that have monomials in common with the active equation). 
This can be visualised in the diagram illustrating the encryption operation in 
our small example (Figure 1). For example, when multiplying the equations in 
the subset Lin 2 , we should not include the monomials in S-Boxes S 2 , S 3 and K 2 - 
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Fig. 1. S-Boxes and Linear Layers on the SR(3,1,1,4) encryption 

After multiplication, we expect to have R = s Ylk=i(^~ r ~ ( fe-i’) 
equations (though not all linearly independent), where L is the number of subsets 
of linear layer equations and bi is the number of neighbouring S-Boxes for the 
subset i. In total, we expect to have T = Ylk= o(* — r — l) fe (f) monomials in the 
system (Appendix A). 

As computed in the previous section, we have 1600 quadratic equations on 
3200 variables and 11200 monomials for the AES-128 before multiplication 2 . So 
it appears that we start with an underdefined system, which in principle should 
not be solvable. Note however that, apart from the initial substitution, we have 
not used the S-Boxes relations yet. 

It is not completely clear from the description in [11] how to include the 
S-Boxes equations. The authors say that “each time, in the attack we want to 
use one of the other r terms [not in the S-Box basis], we will write them as 
linear combination of the elements of the basis” [11]. Although this description 
leaves the method somewhat open for interpretation, we believe that the most 
likely way to proceed is to generate all equations via multiplication and then 
perform (as much as possible) substitutions of monomials not in the bases by 
their expressions with the corresponding linear combination of monomials in the 
basis. This should hopefully introduce many new equations. Note that because 
the initial system used by the XSL algorithm is underdefined , the system can 
only be solved if further substitutions are performed. 

As before, let Wij and xq be the j th bit of the input and output of the i th 
S-Box respectively, such that the basis consists of the monomials XijWik, with 
j k, and 1 (note that on the key schedule S-Boxes, the variables should be 
kij and s l3 , but for simplicity we rename these variables). We denote by [m,,], 
[xij\ and \xijWij\ the expressions of these monomials as linear combination of 
the monomials in the S-Box basis. When performing substitutions, we need to 
make sure that variables are always substituted in pairs, from the same S-Box 
(■ and Xik)- This is required to ensure that the resulting new equations are 
still made up of terms that are the product of monomials from the bases of the 
S-Boxes. Furthermore, we should also make sure that the substitutions do not 
create monomials of degree higher than 2 P. 

2 Appendix A of [11] describes how to simplify the equations and reduce the number 
of variables. However this new format does not seem to be suitable for the XSL 
attack. 
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The relations used for substitution and generation of new equations are 


(■ XijWik ) • ( XijWik ) = XijWik 

( XijWik ) • (XijWil) = ( XijWik ) • [wu] = [ Wik ] • {XijWil) 
( XijWik ) • ( XilWik ) = ( XijWik ) • [xu] = [Xij] • ( XilWik ) 
XijWik = [ Xij ] ■ [ Wik ] 

XijWik = [Xij] ■ [Wik] = [ XijWik ] 


for any i,j,k 
for any i,j,k 
for any i,j,k 
for j / k 
for j = k. 


(4) 


For each S-Box, the number of relations is s 2 +s 3 +s 3 +s(s— l)+2s = 2s 3 +2s 2 +s. 

Note that substitutions using any of the relations in (4) will always result in 
(or only be possible by) monomials made up of the product of some monomials 
from the same S-Box. However, the XSL algorithm described in [11] excludes 
monomials from neighbouring S-Boxes when multiplying the original equations, 
and so the generated equations have only terms of the form 


x iih w nki ■ x i2 j 2 Wi 2k2 ■ Xi t j t Wi t k , , (5) 

with l < P and all i r ’s pairwise distinct. This means that no substitutions 
can be made such that the resulting new equations contain only terms that are 
the product of up to P monomials from different S-Boxes. Substitutions always 
introduce new monomials, and this is not intended to happen with the XSL 
algorithm. Without any substitutions, we never get any new expressions, and 
the method essentially ignores the S-Box equations. Therefore, no matter how 
large the parameter P is, there is no hope that the XSL algorithm (as described 
in [11]) can solve the initial set of equations 3 . 

The problem with the XSL algorithm arises from the attempt to have only 
monomials made up of the product of P different S-Boxes, and as such some 
S-Boxes needed to be excluded when multiplying. The simplest way to get round 
this situation is to allow the product of any P monomials from the bases, not 
necessarily from different S-Boxes, and use all S-Boxes when multiplying, includ- 
ing the neighbouring ones. The effect is that we should expect a larger number of 
monomials in the end (as well as equations), but this will also allow the substitu- 
tions, and we will be able to include the S-Boxes relations in the computations. 

A more systematic way to proceed is however to add the relations (that 
were to be used for substitution) to the initial set of equations, and perform the 
algorithm without any further substitutions. Care has to be taken though, as 
some of the new equations have degree 4 rather than 2 (e.g. x^Wik = [xij\ ■ [ w ^ ]), 
and these should be multiplied by the product of up to P — 2 monomials only. We 
note also that, as the monomial XijWij does not belong to the S-Box basis, we 
should not include some of the relations involving this monomial (for example, 
XijWij = [ x^Wij ]) in the initial set of equations. 

It can be shown that this new procedure is essentially equivalent to the previous 
one, and all new equations created by substitution can also be generated by apply- 
ing the method to this enlarged set of equations. We call this modified method sXL 
(standing for substitute and XL), and examine it in the following section. 

3 Substitutions could still be performed by modifying the last step of XSL (T' method) , 
but this is obviously not the way it was originally proposed. 
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5.1 The sXL Algorithm 

The sXL algorithm seems to be the natural way to get round the flaw in the 
original XSL algorithm described in [11]. In the sXL algorithm, equations are 
first processed as described in Section 4. We then add the many new relations 
(4) resulting from the S-Boxes equations to the original linear layer equations, 
and multiply all equations in this set by the product of (P — 1) monomials from 
the bases of (not necessarily distinct) S-Boxes, for an appropriate value P. 

In the initial set, there were (N r + 1) • B ■ s + K e quadratic equations on 2s • S 
variables and S ■ (t — r — 1) monomials. To this set we add 

S ■ ( s(s — 1) + s(s — l) 2 + s(s — l) 2 + s(s — 1) 4- s) = S ■ (2s 3 — 2s 2 + s) 

quartic equations derived from the relations in (4) (we are excluding some rela- 
tions using the monomial Xi jWij). We call this new set S. 

To analyse the running time of the sXL algorithm, we need to compute the 
minimal value P m of the parameter P for which the method yields a solution of 
the system. We initially ignore the T' method (Section 6). 

In order to compute P m , we introduce new variables and substitute the 
monomials ( Xij ■ Wik) in the equations in S by Y^k- We denote the resulting new 
set of equations by S C K[Y]. The new variables Y l3k are related by the various 
relations of type 

Y{j k ■ Yipq = XijWik ' XipWiq = XijWiq • XipWik = b \jq • Y k p k , (6) 

where we might have to use the S-Box relations if j = q or p = k. We call this 
set R C I[b], and it contains S ■ a equations. 

We now consider the system of equations S U 1Z C K[Y] , and execute the XL 
algorithm on this system. The algorithm is required to run to a certain degree 
D m to yield a solution. 

We now have the following proposition (proof is given in Appendix B): 

Proposition 1. LetS be the set consisting of the original linear layer equations 
together with the relations (f) resulting from the S-Boxes equations, all written as 
sum of terms made up of the product of monomials in the S-Boxes bases. Denote 
by P m the minimal value of the parameter P for which the algorithm described 
above (sXL) yields a solution of the system. Similarly, letSUlZ C K[Y] denote 
the set of equations derived from S and the relations (6) by substituting the 
monomials ( x 3 j ■ w^k) by Y^k- If D m denotes the minimal degree for which the 
XL algorithm yields a solution of this system, then P m = D m . 

Proposition 1 states that the sXL algorithm is essentially equivalent to an initial 
substitution (substituting the monomials ( x^ ■ vj lk ) by W/fc), and then applying 
the XL algorithm to the resulting system in K[Y] (thus the name sXL - substitute 
and XL). For the AES-128, we start the XSL algorithm with 1600 equations, 
3200 variables and 11200 monomials (i.e. an underdefined system). To run the 
sXL algorithm, we use the set S, which contains 182400 linearly independent 
equations. The set 1Z has 156800 linearly independent equations, and after adding 
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all relations and substituting the monomials, the set S U 1Z has 276800 equations 
(each S-Box contains 1376 linearly independent equations) on 11200 variables. 
By Proposition 1 above and Theorem 1 from [12], we expect to run the algorithm 
up to degree at least D = 51 for the method to yield a solution. If we include 
the T' method as last stage (essentially running the XL2 method [9]), we expect 
to run the algorithm to degree at least D = 20. Thus in the best case, the 
complexity of the attack is at least 

(dim^lTo)))" = (dim(£/£>) — dim(ker <j>)) w 

> (e”o ( U f°) - 156800 • El=o (“f °)) W ~ 2 492 , 

where <f > , Ud, Ud are defined in the proof of Proposition 1 (Appendix B), and 
oj = 2.376 is the highly optimistic Gaussian reduction exponent given in [11]. 
Furthermore it should be clear that there seems to be no benefit in running this 
method instead of simply applying XL or XL2 to the simplified AES system 
of 8000 equations over 1600 variables described in [10]. Using the same results 
from [12], we expect in this case to run the algorithm up to degree at least 
D = 44 for the XL algorithm and at least D = 29 for the XL2 method. Again, 
in the best case the complexity of the attack is at least 



We recall that the inefficiency of the XL algorithm against the AES has already 
been shown in [11], and this was in fact the motivation for the proposal of 
the XSL algorithm. We have shown however that the XSL algorithm presented 
in [11] has a flaw in its description, and the natural modification (i.e. sXL) is 
essentially equivalent to the XL algorithm (or XL2) on a much larger system, 
resulting therefore in a less efficient method of attack against the AES. 

6 Step 3 - The T' method 

The T' method is the final stage of the XSL algorithm before linearization. 
We recall that to apply linearization, we require that the number of linearly 
independent equations in the system needs to be approximately the same as the 
number of monomials (in the notation introduced earlier, P w T). Starting with 
a system resulting from step 2 (which may still have T much larger than E), the 
T' method works by multiplying some selected equations by single variables a % 
(reducing modulo xf + x t when necessary) in an attempt to obtain new linearly 
independent equations without creating any new monomials. The hope is that 
after a few iterations we have E = T — 1 . Although the method seems to have 
been designed to work on systems of equations over F 2 , it is possible to modify 
it to work on equations over other finite fields. 

Let 1Z be a system of multivariate polynomial equations of degree at most D 
with n variables {xi,X 2 , ■ ■ ■ ,x n } over the finite field K = F 2 . We assume that 
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1Z contains E linearly independent equations. Let T be the set of all monomials 
in the system, and T? be the set of monomials that can be multiplied by the 
variable ay and still belong to X, i.e. T' = {t e X|x, ■ t e X}. 

Denote by T and T' the cardinality of the sets X and , respectively. Assum- 
ing that E >T — T-+C and C > 1, we can apply the following “algorithm” [11]. 

1. Perform a Gaussian elimination on the system 1Z to bring it to a form in 
which each monomial is a known linear combination of monomials in T- . 
Since we have E > T — T[ + C, we should have around C equations of which 
all monomial are in T(. 

2. Multiply these equations by x i: reducing modulo x 2 + a q when necessary. 
Add any new linearly independent equations to the system 1Z. 

3. Repeat steps 1 and 2 on the resulting system with other variables xj until 
E = T —1. 

It is expected in [11] that the number of new equations generated grows at 
exponential rate, and that if the initial system has a unique solution, then after 
a few iterations (perhaps using as little as three variables) the algorithm should 
generate enough equations to solve the system by linearization. 

Consider the polynomials in 1Z as vectors over K in the polynomial algebra 
K[xi, . . . , .'£'„] and £ the vector space (of dimension E) generated by 1Z. With 
an abuse of notation, we denote the space generated by all monomials of degree 
at most D by X. By using the field relation x 2 + x = 0 to reduce the degree of 
monomials when necessary, we have T = dim(X) = YliLo (")• 

For any variable Xi, let T? C X be the subspace of X defined earlier. We can 
write 

T = T(®U and T[ = dim(7' / ) = E (”) + (?) 

In order to apply the T' method, we need £ n T! ^ 0. The vectors in £ n T( 
correspond to the equations that are multiplied by the variable x^ when running 
the algorithm. A sufficient condition is that 

dim(£) > dim (U) = dim(T) — dim(7' / ), (8) 

or equivalently, that E >T — T[. We denote the subspace £ n T' by C, : , and its 
dimension by C{ = E — T + T'. 

We note that the multiplication of the equations in £ n T! by Xi induces 
a linear transformation X, : T? — > T? . By appropriately choosing an ordered 

“i° d ), where Id 

corresponds to the x identity matrix. The image of Xj is generated by 
{xi, XiXj,X 2 Xi , . . . , xi . . . Xi . . . x n }. The T' method simply computes X,;(C,;) and 
adds the resulting vectors to the space £ . If we denote by r)k the number of new 
equations generated by the fc th iteration of the algorithm using the variable x ik , 
then 


s for X/, Xj can be represented by the T' x T' matrix I 


r] k < min(7 + 77 fc _i,dim(Im(XjJ)), 


(9) 
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where 7 = E — T + T' for the initial system if 27*. is a new variable, otherwise 
7 = 0. This shows that the number of new equations generated by the method 
does not grow at exponential rate as suggested in [11]. 

It should be clear that if Xj(Cj) C C, : , then the T' method applied to the 
variable 27 in a particular iteration of the algorithm does not generate any new 
linearly independent equations. We should then try other variables, as suggested 
in [11], in the hope that new equations are generated. These could be then 
added to the system, and the process could be repeated with further variables 
(including 27). However, once the condition above is met by all variables, no new 
equations can be generated. Thus we have the following lemma. 

Lemma 1. Let 1 Z be a system of m multivariate equations of degree D >2 with 
n variables {27, X2, • • • , x n } over the finite field K = F2, and let Cj and Xi be 
the K-subspace 0/ IK [27, ... , x n ] and the linear transformation with respect to the 
variable 27, as defined above. If XiiCf) C Cj for every 1 < i < n. then the T' 
method does not generate any new linearly independent equation. 

Therefore if a system satisfies the conditions of Lemma 1 before we have enough 
linearly independent equations to apply linearization, the T' method surely fails. 
Although it is not clear how likely a system is to satisfy these conditions, in 
Appendix C we present an example of a small system for which the T' method 
does not work. 

We can make some further remarks about the T' method when it is applied 
as the final step for XL-type algorithms. Suppose that S is the initial system of 
m quadratic equations with n variables over the finite field F2. The XL algorithm 
multiplies these equations by all monomials up to a prescribed degree d = D — 2, 
obtaining a much larger system 7 Z with R = (") ■ m equations. We expect 

to have 

T -S0) ’i-sCMr.i). » 

and therefore T — T- = ft] 1 ). The T' method is supposed to work as soon as 
the number of linearly independent equations (E) is larger than T — T[. By the 
results of [12], we see that this condition can only be satisfied if V is greater- 
or-equal to the coefficient of the D th term of the expected Hilbert Series of a 
generic algebra of type (n + 1; to; d \, . . . , d m ). 

Furthermore, given a variable 27, the set 1 Z of equations can be divided into 
three subsets: (a) all equations obtained by multiplying monomials of degree 
up to d — 1 = D — 3, (b) all equations obtained by multiplying monomials of 
degree d = D — 2 with the variable 2 7, and (c) equations obtained by multiplying 
monomials of degree d = D — 2 without 27. Thus we can write 


( 11 ) 
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To apply the T' method, we should first perform a Gaussian reduction on the 
set 1Z, and then multiply the equations in T' by the variable ay in an attempt 
to obtain new linearly independent equations. 

It is clear that all equations in (a) and (b) are in T(. However, the equations 
in (b) are fixed by ay and no new equations will be generated by multiplication. 
For equations in (a) , any new equations would have been already included when 
running the XL algorithm, so no new linearly independent equations can be 
generated by multiplication either. 

The only useful equations of 1Z for the T' method are therefore the ones in 
(c), and the method can work if applied to (at most) Q^) ' m equations. This 
fact had already been remarked in [6]. 

In [15] it is shown how the T' method can be interpreted in terms of Buch- 
berger’s Grobner Basis algorithm. The method is further discussed (in the con- 
text of the XL2 [9] algorithm) in [2,4], where some doubts are cast on the 
general applicability of the method. It is remarked that the T' method may 
not be able to run because some of the monomials in T \ T' cannot be ex- 
pressed as linear combination of monomials in T' (and therefore cannot be 
reduced). In particular, this will happen if C = E — T + T' is small, be- 
cause as we saw above, after the XL algorithm many equations are already 
in T. 

It is also noted in [2] that the method should operate with all variables instead 
of just two or three. In this case the XL2 method is equivalent to running the XL 
algorithm one degree higher and eliminating all the highest degree monomials. 
However it is not hard to construct examples where two variables prove to be 
enough. 

The T' method is perhaps the least understood part of XL-type algorithms. 
Experiments have proved to be inconclusive, and more study may be needed to 
verify whether it can be used in general as a final step of algorithms for efficiently 
solving systems of multivariate equations. 

7 Conclusion 

Since the proposal of the XSL algorithm, the potential for algebraic attacks 
against block ciphers, and in particular the AES, has been the source of much 
speculation and has attracted a lot of attention from the cryptographic commu- 
nity. Although not much is known about the effectiveness of algebraic attacks 
as a cryptanalytic technique, it is widely believed that the most promising ap- 
proach is the development of dedicated methods for specific block ciphers. The 
XSL algorithm is perhaps the first attempt to exploit the particular structure of 
the AES system of equations. We have shown however that, as presented in [11], 
the XSL algorithm cannot solve the system arising from the AES. By discussing 
some alternatives for the algorithm, we come to the conclusion that, in its cur- 
rent form, it is unlikely that the algorithm can provide an efficient method for 
solving the AES system of equations. 
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A The XSL Attack on the AES-128 

In this Appendix we make some computations concerning the XSL attack against 
the AES with 128-bit keys. 


A.l Key Schedule 

The AES key schedule presents a different structure from the encryption, in that 
not all key variables go through an S-Box. The suggestion in [10] is that, when 
performing the second XSL attack, one should introduce the so-called “artificial 
S-Boxes”, with some key variables and no equations. Instead of that, in our 
analysis we rewrite the key schedule system such that these “artificial S-Boxes” 
are no longer required. 

There are Sk = N a N r S-Boxes in the AES key schedule, and a total of 
sN a Ni,(N r + 1) subkeys variables, of which sN a N r go through an S-Box during 
the key schedule. So we choose to introduce sN a N r new variables, to represent 
the bits of the S-Box output For the AES-128, we have N a = TV), = 4, 
N r = 10, and so Sk = 40. A diagram for the key schedule of the AES-128 is 
shown in Figure 2. 

The key schedule set of equations used in the XSL attack consists initially 
of sN a Nf,N r linear equations. We can however express all subkeys variables as 
linear expression of the 2 sN a N r S-Boxes variables (representing the bits of kj, 3 ,i 
and .Sj. 3 ,,), as shown in the equations below: 


fca,o,i 

= ko,3 

,i + kl,3,i + fc2,3 

i + &3,3,i + 52, 3, i H~ 5l,3,i + 5(3,3, 




ki,o,i 

= ko,3 

i + kl,3,i + fc2,3 

i + ^3,3,i + 52, 3, i + 51,3,1 




k2,0,i 

= ko,3 

,i + kl,3,i -(- fc2,3 

i + ^3,3,i H" 52, 3, i 




kj,0,i 

= kj, 3 

i -(- kj — 1,3, i + k 

-2,3 ,< + kj- 3,3,i 

for j = 3 . 

.(N r 

-1) 

ko,i,i 

= k 0 ,3 

i + k2,3,i + Si, 3 





ki,i,i 

= fcl,s 

,i + k3,3,i + S2,3 





kj,l,i 

= kj, 3 

i + kj-2,3,i 


for j = 2. 

.(N r 

-1) 

ko,2 ,i 

= k 0 ,3 

,i + k3,3,i + «2,3, 





kj, 2,i 

= kj, 3 

,i + kj—X,3,i 


for j = 1 . 

..(N r 

-1) 

kN r , 0, 

i — kN r 

-4,3,i + kNr-3,3 , 

,i + kN r -2, 3, i H" ^iV r — l,3,i H" 5jV r - 

-1,3,4 



kN r , 1, 

i — kl v r 

-4,3 ,i + kNr-2,3 , 

+ 5jV r — l,3,i 




kN r , 2, 

i = kN r 

-4,3 ,i + kNr-1,3 , 

,i + 5jV r — l,3,i 




kN r , 3, 

i = kNr 

-4,3 ,i + SNr-1,3, 






The equations above can also be used to simplify the key schedule linear layer 
equations relating variables from S-Boxes. These equations can be written as 

kj,3,i = fcj+4,3,i + Sj+3,3,i for j = 0 . . . (N r - 5). (12) 

We therefore have N a (N r — 4) sets of s linear equations, and so K e = N a (N r —4'),s. 
For the AES-128, we have K e = 192. The number of key schedule S-Boxes needed 
to express the different subkeys is given in Table 1 . 
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Fig. 2. Diagram for the AES-128 key schedule 
Table 1. Number of S-Boxes used in equations involving kj lT ,i 


j || 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 
kj,o,i ||4|4|4|4|4|4|4|4|4|4| 4 
k jt i,i '3322222222 3 

k jt 2 ,» '3222222222 2 

1111111111 2 


A. 2 Complexity of the XSL Attack on the AES-128 

In this section we show that, in addition to the issues raised in Section 5, the XSL 
heuristics presented in [11] overestimate the number of equations generated by the 
algorithm 4 . Firstly, when deriving the complexity of the attacks, the XSL heuris- 
tics assume that all equations generated by the method are linearly independent. 
It should be clear that they are not. Even for P = 2, there are many relations of 
the type /* • [fj] = fy ■ [/,]. Secondly, the XSL algorithm states that neighbouring 
S-Boxes need to be excluded when multiplying the linear layer equations. This also 
needs to be taken into account when estimating the total number of equations. 

The subsets of linear layer equations from the encryption have common vari- 
ables with four S-Boxes from the current round, one S-Box from the next round 
(except in the first and last rounds, where some monomials are replaced by the 
plaintext or the ciphertext), and a number of key schedule S-Boxes. The num- 
ber of neighbouring S-Boxes for the key schedule equations can be derived from 
Table 1, while the number of neighbouring S-Boxes for the encryption equations 
is given in Table 2. 

Therefore the number of equations obtained by multiplication should be 

mi fc= i v 7 


4 Note that although the key schedule equations were not used in [11], the way the 
heuristics were used to obtain the number of equations can be easily applied to the 
system including the key schedule. 
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Table 2. Number of neighbouring S-Boxes for the encryption equations (defining Wj,k,i) 





0123456789 10 
5|9|9|9|9|9|9|9|9|9| 8 
4877777777 7 

4777777777 6 

2666666666 6 


instead of Ss(t — r) (p ( p ® J given in [11]. Likewise, the number of monomials 
is 

T =X>- r - 1 >‘(f) < 14 > 

instead of (t — r) p ( p ) given in [11]. For the AES-128, we have 
S = S m + S k = N a N b N r + N a N r = 200, 

L = N a N b (N r + 1) + N a (N r - N b ) = 200, 

while bi can be obtained from Tables 1 and 2. 

Using these figures and the formulas given in [11], we obtain P = 9, giving 
T 2 100 and T“ « 2 238 for the second XSL attack against the AES-128. We 
note however that we are not taking into account the linear dependencies between 
these equations, and so the complexity is likely to be much higher. 

We also note that, with these new figures and assuming that almost all R 
equations are linearly independent [11], the T / method seems to be irrelevant for 
the attack. In fact, since T « 100T', when P = 9 we already have R > T — 2 
(so there is no need for the T' method), while for P = 8 we are still in the 
situation that R < T — T' (and are therefore unlikely to be able to use the T' 
method). 

B Relation Between sXL and XL 

We present here the proof of Proposition 1 from Section 5.1. 

Let S be the set of equations consisting of the original linear layer equations 
(after the processing described in Section 4), and the relations (4) resulting from 
the S-Boxes equations. All these equations are written as sum of terms made up 
of the product of monomials in the bases of the S-Boxes. 

Let DeN and Up be the set of equations generated by running the sXL 
algorithm with the parameter P = D on the set S. Denote by K[{xy • w;^.}] 
the subring of IK [a;, w] generated by the various monomials of type (xjj ■ tu,fc) 
contained in the bases of the S-Boxes. Furthermore, let K[{a:,;j • Wik}]< 2 n and 
K[j;, vj\<2n be the K- vector spaces generated by the respective polynomials of 
total degree at most 2D. It is clear that we have Up C K[{a,-y • Wik}]< 2 D- 
Similarly to [12], we define 

\{D) = dim K (]K[{2;jj • w ik }]<2D) ~ dim k{U d )- 
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The sXL algorithm will yield a solution for the system if x(D) = 1 (we are 
ignoring by now the T' method) 5 . We denote by P m the minimal value of D for 
which this relation is satisfied. 

We now introduce new variables Yjj k and substitute the monomials [xij-waf) 
in the equations in S by Yijk- As the equations in S are either quadratic or 
quartic, this can be done in a straightforward way. We denote this new set of 
equations by S C K[Y]. To this set we add the equations (6) 

Y ijk ■ Y ipq = Y ijq ■ Y ipk , (15) 

contained in the set 1Z C K[Y]. Let Up be the set of equations generated by 
running the XL algorithm up to degree D on the set S U 1Z C K[Y]. It is clear 
that we have Ud C K[Y]<q. Now we define 

X (D) = dim K (K[Y]< D ) - dim K (C/ D ). 

Again, we can solve the system directly by linearization if y(D) = 1, but more 
generally, we only need y(D) < D. We denote by D rn the minimal degree D for 
which this relation is satisfied. 

Let (j) be the K- homomorphism defined as 

<P : K[Y]< 0 — ♦ K[{*y • w ik }]< 2D 

Yijk 1 ' XijWik . 

It is clear that 0(K[Y]<£>) = K[{a;,j • w ik }\<2D and (p{Up) = Ud • Let Vd be the 
subset of K[Y]< d defined as 


o - 2 

Vd = (U Y iljlkl -H). (16) 

1=1 

Lemma 2. Vp is the kernel of the homomorphism (p. 

Proof. In one direction, it is clear that Vp C ker <p. Now let B = {Mi} be 
the canonical basis of K[Y]<d and r the number of distinct monomials of type 
4>{Mi). It is clear that each <j>{Mi) is a non-null monomial of K[{xy • Wik}]< 2 D. 
and thus r is the rank of <p. We can then choose b = #£> — r linearly independent 
polynomials of the form Mi + Mj with <j>{Mi) = (P(M 3 ). Since dim(ker (p) = b, it 
follows that these polynomials form a basis of ker <p. 

Let Mi = Y[i m ih where rri\ / = Yl r Yiij r k r are monomials involving only 
variables (i.e. quadratic monomials in K[{xy • w lk }}) from the same S-Box. It is 
clear that M 2 = riz TO 2i> with ^( TO iz) — <^(m 2 j). So without loss of generality, 
we assume that Mi = mi = Yij rkr and M 2 = m 2 = flz Yij t ki ■ 

If we write i ' : j r —> k r and Mi — n, Yij V (j ) , then there exists a permutation 
cr e Sk such that M 2 = n jYia(j)v(j)- Write cr as a product of transpositions 

5 In fact, by renaming monomials if necessary, we should be able to successfully solve 
the system if x(-D) < D [8j. 
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a = n p T pi where t p = ( a p ,b p ) with a p ,b p e {k r }. Denote by t p the product 
Tp-itp -2 • • • tq, where to = id and too = V- If we call 


Zjk = 


Y ijk iij^k 
[Y ijk \ if j = k’ 


then we have 

II Z Mi) + II = ( Z a p v(a p ) Z b P Hb P ) + Z a pV {b p ) Z b p v{a p )) 

i i i^Lapybp 

1] Z t P (i)v(i) + II ^o+iOMO = ( Z a P v(a p ) Z b pV (b P ) + Z a v u(b p ) Z b p v(a p )) [] Z Um)' 

i i t p (i)jta p ,b p 


Therefore 


Ml + M 2 — J^[ Z t + J] Z t 0 {i)v(i) 6 {( Z a/3 Z j6 + Z aS Z jl3) ' K[Y]^|J2), 


andker^ = Vo. □ 

Therefore, according to the lemma we have 

— — — = K[{xij ■ w ik }]< 2 i> and — = U D . 

It follows that x(D) = x(D) and P m = D m . 

C An Example for which the T' Method Fails 

In Appendix B of [11] a concrete working example for the T' method is presented. 
The example consisted of a system of 8 quadratic equations with 5 variables, such 
that T = 16 and T' = 10. By alternately applying the method with respect to the 
variables xi and x 2 , a total of 15 linearly independent equations were obtained 
and the system could then be solved by linearization. 

Below we present an example for which the T' method does not work. Our 
system has 7 linearly independent quadratic equations over F 2 with 5 variables 
(so we have E = 7, T = 16 and T' = 10). Our system has also a unique solution 

(. X 2 = £3 = £5 = 0, X\ = .Z '4 = 1). In our case, however, there is only one 

exceeding equation, i.e. C~E — T + T'= 1. 

" X1X2 + X1X4, + X2X3 + X2X5 + X4X5 + XI + £3 + £4 + £5 + 1 = 0 
X1X2 + X1X3 + X2X5 + £32:5 + £4X5 + £4 + 1 = 0 
X2X3 + X3X5 + X3X4 + X2 + X3 + £4 + X5 + 1 = 0 
< £4X5 + £i£ 3 + £3X4 + £4X5 + £5=0 
£4X5 + £1X3 + X 2 X4 + X 2 + £3 = 0 
£4X3 + £2X4 + £3X5 + £1 + X 2 + £5 + 1 = 0 
k X2X5 + £2X3 + £4X5 + x 2 + £3 + £5 = 0 


(17) 
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The system (17) is such that for every variable a we have C, C ker(Xj) and 
therefore Xi(Ci) = {0}. So we are unable to obtain a single new equation. For 
example, on working with the variable X\ , we can represent the system as: 

" £2X3 = #1X3 + X1X4 + X1X5 + 1 
X2X4 = X1X3 + X1X5 + X2 + X3 
X2X5 = X1X3 + Xi + X3 + X4 

< X3X4 = X1X3 + X1X4 + XI + X2 + X4 + 1 (18) 

X3X5 = X1X5 + X\ + X3 + X5 + 1 

X4X5 = X1X4 + X1X5 + XI + X2 + X4 + X5 + 1 

k 1 = X1X2 + X1X4 + X\ + X2 + X4. 

However, when multiplying the last equation by Xj we have 

X\ • (1 T X\X2 + X1X4 + XI + X2 + X4) = 0 . 

The same is valid for all the remaining variables. For example, with respect to 
x 2 : 

' X1X3 = X2X5 + X\ + X3 + X4 
X1X4 = X2X3 + X2X4 + X2 + X3 + 1 
X1X5 = X2X4 + X2X3 + Xi + X2 + X4 

< X3X4 = X2X3 + X2X4 + X2X5 

X3X5 = X2X4 + X2X5 + X2 + X3 + X4 + X5 + 1 
X4X5 = X2X3 + X2X5 +X2+X3+X5 

_ 0 = X1X2 + X2X3 + X2X4 +X1+X3 + X4. 

Again the same occurs: 

X2 ■ (X1X2 + X2X3 + X2X4 + Xi + X3 + X4) = 0 . 

Therefore no new equations can be generated and the T' method fails for this 
system. 
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Abstract. Time/memory tradeoff (TMTO) is a generic method of in- 
verting oneway functions. In this paper, we focus on identifying candidate 
oneway functions hidden in cryptographic algorithms, inverting which 
will result in breaking the algorithm. The results we obtain on stream 
and block ciphers are the most important ones. For streamciphers using 
IV, we show that if the IV is shorter than the key, then the algorithm is 
vulnerable to TMTO. Further, from a TMTO point of view, it makes no 
sense to increase the size of the internal state of a streamcipher without 
increasing the size of the IV. This has impact on the recent ECRYPT call 
for streamcipher primitives and clears an almost decade old confusion on 
the size of key versus state of a streamcipher. For blockciphers, we con- 
sider various modes of operations and show that to different degrees all 
of these are vulnerable to TMTO attacks. In particular, we describe mul- 
tiple data chosen plaintext TMTO attacks on the CBC and CFB modes 
of operations. This clears a quarter century old confusion on this issue 
starting from Heilman’s seminal paper in 1980 to Shamir’s invited talk 
at Asiacrypt 2004. We also provide some new applications of TMTO and 
a set of general guidelines for applying TMTO attacks. 

Keywords: time memory data tradeoff. 

1 Introduction 

Time memory tradeoff (TMTO) algorithm is a generic method of inverting oth- 
erwise well behaved oneway functions. The technique of using TMTO to invert 
oneway function was introduced by Heilman in his seminal paper [16] on the 
topic in 1980. This topic has two parts. 

TMTO Algorithms: This covers development of new TMTO algorithms including 
use of multiple data and investigation of theoretical issues about general TMTO 
algorithms. Apart from Heilman’s work, other contributions to this line of re- 
search include Rivest’s idea of distinguished points, Fiat-Naor [10], Babbage [4], 
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Golic [12], Biryukov-Shamir [7], Oechslin [23] and Kim-Matsumoto [20]. In this 
work, we will use some of the relevant results from the above papers, but we will 
not present any new contribution to this area. 

TMTO Applications: Our contribution is to this area of TMTO research. As 
mentioned before, TMTO is applied to invert oneway function. Therefore an 
important question is to identify a target oneway function on which to apply 
TMTO. The initial work by Heilman [16] is a chosen plaintext attack and ap- 
plies TMTO to the oneway function which maps the keyspace to the cipherspace 
by encrypting an a priori chosen message using a blockcipher. The work of Bab- 
bage [4], Golic [12] and Biryukov-Shamir [7] applies TMTO to the oneway func- 
tion which maps the internal state space to a keystream segment of a streamci- 
pher. See [13] for an adaptation of this application to the state space of a PRNG. 

We would like to point out that this clear distinction between TMTO algo- 
rithm and the oneway function on which to apply it does not appear explicitly 
in the literature. On the other hand, with this distinction made clear one begins 
to search for suitable oneway functions hidden in cryptographic algorithms on 
which to apply TMTO. 

In this paper, we present a systematic investigation of the above line of 
research. We consider a wide range of cryptographic algorithms and look for 
candidate oneway functions for TMTO applications. Our results on stream and 
block ciphers are the most interesting and also turns out to be quite important 
as discussed below. We also consider hash functions and asymmetric algorithms 
and finally describe a set of guidelines for applying TMTO to cryptographic 
algorithm. Due to lack of space, the last description as well as some of the other 
details are given in the Appendix. We next describe our contributions to stream 
and block ciphers. 

1.1 Streamcipher 

As mentioned before, the works of Babbage [4], Golic [12], and Biryukov-Shamir 
[7] have applied TMTO to the oneway function mapping internal state to a 
keystream segment. A suggested countermeasure for resisting TMTO has been 
to use a state whose size is double that of the key size. This can be seen from 
the following quote from [12]. 

“. . . doubling the memory size, from 64 to 128 bits, is very likely to push 

the attacks beyond the current technological limits. Note that the secret 

session key size need not be increased to 128 bits.” 

Over the last few years, this has led streamcipher designers to incorporate huge 
internal states. Also, most recent streamcipher proposals have quoted their huge 
state size as indications of resistance to TMTO attacks. 

We revisit TMTO on streamciphers. Most streamciphers use an initialization 
vector (IV) in addition to the secret key. We show that the function mapping 
(key, IV) to a keystream segment of suitable length is a candidate oneway func- 
tion for TMTO application. In the case where the key is longer than the IV, the 
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algorithm becomes vulnerable to TMTO irrespective of the size of the internal 
state. Thus, huge state size does not guarantee resistance to TMTO attacks. This 
clears an almost decade old confusion on this issue. Further, our results shows 
that it does not make sense to increase the state size without a corresponding 
increase of the IV size. These results have been considered important enough to 
bring about a change in the recent ECRYPT call for streamcipher primitives. 

Prior to our work, the only oneway function in a streamcipher considered for 
TMTO application was the state to keystream map. Our work shows that the 
(key, IV) to keystream map is another such function. It is an interesting problem 
to identify other possible candidate functions. Such functions may not be generic 
to all streamciphers (as the above two are), but may also be algorithm specific. 

1.2 Blockcipher 

Blockciphers are mostly used in an appropriate mode of operation. Heilman’s 
attack applies to the ECB mode of operation. There is widespread belief in the 
cryptographic community that the following two points are true. 

1 . It is not possible to use multiple data with blockcipher tradeoffs. 

2. Cipher block chaining with random IVs will foil tradeoff attacks on blockci- 
phers. 

The following quote from the invited talk by Adi Shamir at Asiacrypt 2004 [25] 
suggests that the first of these is a well settled fact (and not even an open 
problem). 

“Generic time/memory tradeoff attacks on stream ciphers ( TM 2 D 2 = 

N 2 ) are stronger than the corresponding attacks on block ciphers 
( TM 2 = N 2 ) since they can exploit the availability of a lot of data.” 

(In fact, the above statement was provided as one of the evidences that blockci- 
phers are stronger than streamciphers.) 

The second point is explicitly stated in Heilman’s paper [16]. We quote the 
relevant portions from Heilman’s paper. The first of these appears on Page 404, 
second column, third paragraph. 

“It should be remembered, however, that the time-memory trade-off does 
not work in a known plaintext attack if block chaining or cipher feedback 
is used. . . ” 


This appears even more explicitly on Page 405, second column, third paragraph 
of Section IV. 

“Even a block cipher can foil the time-memory trade-off in a known 
plaintext attack through cipher block chaining [7], [8] or other tech- 
niques which introduce memory into encipherment. . . . Again, proposed 
standards include provision for cipher block chaining with a random in- 
dicator.” 
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The last sentence suggests that using CBC with a random IV will resist TMTO 
attacks. There is some confusion between chosen and known plaintext attacks. 
While the TMTO attack on the ECB mode developed by Heilman is itself a 
chosen plaintext attack, the above comments relate only to known plaintext 
TMTO attacks. We discuss this point in more details in Appendix A. 

We investigate the possibility of TMTO application on various block cipher 
modes of operations. For every mode of operation that we consider, it turns out 
that there is a suitable oneway function to which chosen plaintext TMTO can 
be applied under appropriate conditions. The most interesting results are for 
the CBC and the CFB modes of operations. Contrary to Shamir’s statement 
above on the use of multiple data, we show how to apply nontrivial multiple 
data TMTO to both the CBC and CFB modes of operations. Further, our re- 
sults show that Heilman’s statements above are not correct for chosen plaintext 
attacks (but they could still be true for known plaintext attacks). However, 
an algorithm which is not secure against chosen plaintext attacks cannot be 
considered to be secure. Hence, CBC and CFB modes of operations cannot be 
considered to be secure against TMTO attacks. This clears a quarter century 
old confusion on this issue. 

Related Work: In a recent work, Biryukov [6] studies applications of multiple 
data TMTO. We would like to point out that the situation considered in [6] is 
different from the one we consider here. More specifically, Biryukov [6] considers 
the situation where a single message is encrypted with many keys and the corre- 
sponding ciphertexts are available to the attacker. The goal of the attacker is to 
obtain one of these keys. This situation applies to the ECB mode of operation of 
a block cipher, which is the mode usually considered for cryptanalysis of block 
ciphers. Detailed discussion on strengths of a block cipher in ECB mode and 
UNIX password hashing is presented in [6]. We would like to mention that one 
of the reviewers of this paper pointed out that obtaining one-out-of-many keys 
was earlier suggested in [12]. 

In contrast to [6], this work and its earlier version [17] considers the more gen- 
eral problem of identifying suitable oneway functions in cryptographic algorithms 
and possible access to multiple data. The more interesting cases considered here 
are streamciphers with IV, various modes of operation of block ciphers such as 
CBC, CFB, etcetra. We note that none of these cases are considered in [6]. 

Lastly, we would like to clarify some confusion regarding authorship. The 
work [6] and [22] has been merged and is due to appear as [5] in the proceedings 
of SAC’05. Thus, there is an overlap of authors between [5] and the current 
paper. However, the common author was in no way involved with either the 
preparation or the original submission of [6] to SAC’05. 

2 Review of TMTO Algorithms 

Time memory data tradeoff algorithms are applied to invert one-way functions. 
Let / : (0, 1}" — * (0, l} n be a one-way function inverting which will break a 
cipher. We briefly describe the existing work on methodology of applying TMTO. 
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A TMTO algorithm has two phases. In the offline phase, a set of tables are 
prepared. In the online phase, the attacker is given yi , . . . , yo and has to find a 
pre-image for one of the yi s, i.e., for some i, the attacker has to find one a:,; such 
that f(xi) = yi. 

We put N = 2" to be the size of the search space. The pre-computation time 
is denoted by P and the online search time is denoted by T. The number of data 
points yi, ... ,yn is D and the memory required to store (the required fraction 
of) the tables is denoted by M. 

The original TMTO algorithm by Heilman [16] used D — 1 and satisfied the 
so-called TMTO curve: TM 2 = N' 2 with a typical point of T = M = TV 2 / 3 . The 
pre-computation time is P = IV. 

Babbage [4] and Golic [12] considered TMTO on streamciphers. The tradeoff 
is basically a birthday attack, and the tradeoff curve is TM = N, T = D and 
P = M = N/D. We will call this the BG attack. A typical point on the curve is 
T = M = D = P = N%. 

Biryukov and Shamir described a multiple data variation of the Heilman 
method to obtain a new TMTO on streamciphers. The tradeoff curve of TM 2 D 2 
= IV 2 , 1 < D 2 < T, P = N/D was given. We will call this the BS attack. A 
typical point on the curve is T = M = N?. D = iVi, P = N*. 

Permutation: If the one-way function / to be inverted is a permutation, then 
even for D = 1, one can obtain the tradeoff curve TM = N with a better tradeoff 
oiT = M = N 1 / 2 , D= 1. 

Multiple Data: Availability of multiple data improves the effectiveness of a 
TMTO attack. In many cases with D > 1, the pre-computation time will also be 
less than N. On the other hand, we need to carefully examine the scenario under 
which multiple data attack is applied. For example, Heilman originally applied 
TMTO to find the key of a blockcipher used in the ECB mode of operation. An 
easy extension to multiple data attack would be for the attacker to target multi- 
ple keys and be satisfied with obtaining at least one of these. A similar situation 
applies to streamciphers as we point out later. A more nontrivial application of 
multiple data attack is to be able to identify a situation where all the obtained 
data corresponds to one single key. In this paper, we will mostly be concerned 
with TMTO attacks which uses multiple data corresponding to a single key. 

Attack complexity: The complexity of a TMTO attack is usually taken to be 
the sum or maximum of T, M, and D. It is customary not to take the pre- 
computation time P as adding to the attack complexity. This is explicitly men- 
tioned in the following quote from Hellman[16], 

“The N operations required to compute the table are not counted be- 
cause they constitute a pre-computation which can be performed at the 

cryptanalyst’s leisure.” 

Similarly, Biryukov-Shamir [7], writes that the pre-computation phase “can take 
a very long time”. Following in these steps, it has been customary to ignore 
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pre-computation time for TMTO attacks. In the case D = 1, exhaustive search 
(or even more) pre-computation time is unavoidable. More generally, the pre- 
computation time is P = N/D and N is of the form 2 k+v , where k is the key 
length and v is the length of associated data (IV, nonce, tweak, etcetra). If we 
put D = N a , with 0 < a < 1, then P = iV 1-a and is less than 2 k if k > x v. 
Since 2 k correspond to exhaustive search time, under the last condition the pre- 
computation time is less than exhaustive search. 

3 Streamcipher 

Let us be given a streamcipher algorithm that takes a k-bit key. Our search 
space is the key space of size N = 2 k . Consider the following oneway function 
/ which takes a single /c-bit key (and no IV) as input. The cipher algorithm 
specifies a key load mechanism and an initialization procedure. Take the first k 
bits of keystream as output for the function /. 

Inverting / will provide the key. This approach of applying TMTO to the 
key space of a streamcipher is not a new idea. Heilman [16] briefly mentions 
this situation as one possible application. Also, in the appendix of a more recent 
paper [11], this situation is more definitely mentioned in relation to BG-tradeoff. 

Let us consider multiple data when applying TMTO to /. Consider the situ- 
ation of a dummy terminal session. Assume that each session is encrypted with a 
new key, and that the first encrypted text of a session is the (fixed) login screen 
so that the keystream prefix of each session is always exposed. Each session 
we observe gives one target data point. Inverting any one of the data points, 
gives us the corresponding secret key. Using the BS curve, if we can observe 
D = N 1/a = 2 fe/4 sessions, then we have an attack with T = M = N 1 / 2 = 2 k/2 
and P = 2 :ik / 4 . Depending on the amount of available data, one could also choose 
other suitable points of the BS curve. In any case, under this kind of an attack 
scenario, no streamcipher can provide security level equal to its key length. 

3.1 Streamciphers with IV 

The situation with streamciphers have changed somewhat since the early work 
of Heilman, and modern ciphers now use a nonce or an initial vector (IV) in 
addition to the secret key. Resynchronization is more common in this situation, 
and obtaining large sets of data is more realistic. 

Consider an environment where many short messages are encrypted, each 
with a different IV. Assume that the master key is seldom changed. This may 
happen with wireless communication frames, or maybe a disk encryption scheme 
where each sector is encrypted with a different IV. Assume some of these frames 
or sectors are known to us in the form of bare keystream. Since IVs are usually 
public, if we can obtain the master key to one of these frames, all other frames 
using the same master key would be readable. 

We first need to define an appropriate oneway function. Consider the function 

/ : {master keys} x {IVs} — > {keystream prefix}. (1) 
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Function / sends a random (/c-bit key, v-bit IV) pair to a (k + w)-bit keystream 
prefix. So our search space is of size N = 2 k+v . For a good cipher, this mapping 
should behave like a random function. We consider three cases with different 
data requirements. The first of these follows from the BG curve ( TM = V; 
T = D) , while the other two follow from the BS curve TM 2 D 2 = N 2 . 

1. ( P,D,M,T ) = (iV'/' 2 , V'/ 2 .A r| / 2 , V'/ 2 ): P = 2( fc +’')/ 2 < 2 k for k > v. 

2. (P, D, M, T) = (TV 2 / 3 , TV 1 / 3 , V 1 / 3 , AT 2 / 3 ): P = 2 2 ( fe+u )/ 3 < 2 k for k > 2v. 

3. (P, D, M, T) = (TV 3 / 4 , V 1 / 4 , N 1 / 2 , 1»): P = 2 3 ( fc+u V 4 < 2 k for k > 3v. 

If we ignore pre-computation time, then data requirement is the minimum in 
the third case above. In this case, we have an attack whenever T = M = V 1 / 2 
is less than 2 k . The last condition holds for k > v and hence we can say that if 
IV is any shorter than key, the streamcipher is vulnerable to a TMTO attack. 

Pre- Computation Time: If we wish to take pre-computation time into account, 
then the third case gives an attack for k > 3v. If more data is available, then 
using the first two cases, we get attacks under different relations between k 
and v. As already mentioned before, if D = N a for some 0 < a < 1, the pre- 
computation time is P = iV 1_a and is less than 2 k for k > x v. On the other 
hand, for a fixed value of k and v, if we wish to make the pre-computation time 
at least as expensive as exhaustive search, then we must ensure that the access 
to multiple data is restricted to the condition a < v/(k + v). If a > v/ (k + v), 
then we have a TMTO attack where even the pre-computation time is less than 
exhaustive search. 

Below, we state some remarks on this and give some variations to this 
method. 

1. Putting a restriction on how many frames are encrypted before the master 
key is renewed does not stop this attack completely. The attacker still gets 
to know one of the many master keys. 

2. Making the state initialization process more complex has completely no effect 
on this TMTO attack. Neither does the size of the internal state of the stream 
cipher affect this TMTO in any manner. 

3. The known part of keystream need not be at the very beginning. As long 
as they are fixed positions in the keystream, they do not even need to be 
continuous. The oneway function can be defined to match the known part. 

4. If IV is XORed into the key before being placed into the internal state, 
we could set the domain of the oneway function to be at that position. In 
general, the domain of / should be at the point of least entropy occurring 
during the initialization process. 

5. Using IVs in a predictable manner effectively reduces the IV space, making 
TMTO more efficient. 

3.2 State Versus Key Size 

Previous multiple data attacks on streamciphers have targeted the internal state 
of the cipher. It has been suggested that to resist TMTO attacks, the internal 
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state size should be at least twice the key size. Our new attack shows that if 
IV is any shorter than the key, then the streamcipher is vulnerable to TMTO 
irrespective of the size of the internal state. There are two consequences. 

First, simply increasing state size of a streamcipher does not make the al- 
gorithm TMTO resistant. Second, it does not make sense to increase the state 
size without a corresponding increase in the size of the IV. For example, if one 
believes that TMTO forces internal state of any streamcipher to be twice as big 
as key, as is requested in the ECRYPT Call for Stream Cipher Primitives [3], 
then one should also request IV size to be at least as big as key size. 

Conversely, suppose one is on the other side of this argument, with the opinion 
that birthday attack based BG-tradeoff should not be taken seriously, and that 
BS-tradeoff with pre-computation time consideration only mandates IV size bigger 
than half of key size. Then one should demand state size of only 1.5 times key size. 


3.3 ECRYPT Streamcipher Project 

Consider a streamcipher taking 80-bit keys with 32-bit IVs. At first, this seems 
to be a perfectly normal use of key and IV. Actually, this is one of the mandatory 
parameter set for streamciphers aiming for Profile 2 of the recent ECRYPT Call 
for Stream Cipher Primitives [3]. 

Here N = 2 112 and using the BS curve TM 2 D 2 = N 2 , one sees that this is 
vulnerable under the tradeoff point T = M = 2 56 , D = 2 28 , P = 2 84 . The pre- 
computation time is slightly more than exhaustive key search. The tradeoff point 
T = 2 74 7 , M = D = 2 37 3 , P = 2 74 7 is also applicable, and brings the offline 
complexity to under 80 bits. One weak point of this second approach is that the data 
must spread over multiple keys and the attacker recovers only one of these keys. 

After a preliminary version [17] of our work was made public, members of 
ECRYPT STVL have posted a note [8], with the following modifications. 

- 80-bit key with 32-bit IV can no longer be considered a secure parameter set 
for streamciphers. 

— It makes no sense to increase internal state size of a streamcipher without 
increasing IV size. 

Thus, even though our attack appears to be simple, it turns out to be important 
enough to bring changes to the ECRYPT call for streamcipher primitives. Ac- 
tually, we were also surprised that such a simple and important observation as 
ours was actually missed by the entire large and active streamcipher community 
for so many years. 

3.4 GSM 

Our discussion so far on streamciphers has shown that security level reached by 
using a key of length longer than IV length, does not correspond to key length, 
under the framework of TMTO attacks. In this section, we turn to a more specific 
example. It will illustrate that the actual joint entropy of key and IV matters 
more than just their length. 
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The encryption algorithm for GSM mobile phones [1] is called A5/3. It is a 
modified version of OFB mode of operation based on the KASUMI blockcipher. 
KASUMI is a 64-bit blockcipher with key length of 128 bits. 

In the use of A5/3 for GSM encryption, most part of IV is fixed to some 
constant value. Only a 22-bit counter part is incremented each time the IV is 
changed. The 128-bit key is actually a concatenation of two copies of a single 
64-bit key. Only 228 bits of keystream is used after initialization with a new IV, 
but this is not important for us. 

We can define our oneway function as 

(64-bit key, 22-bit counter value) i-> 86-bit keystream prefix. 

There is an initialization process making A5/3 slightly different from the usual 
OFB mode of operation and the feedback itself is also a bit different, but as was 
already commented, this is immaterial. It suffices to know the exact specification 
for keystream production in order to be able to apply TMTO algorithms. 

In this case, N = 2 86 . If we choose D = V 1 / 4 and T = M in the curve 
TM 2 D 2 = N 2 , then we get an attack with the parameters D = 2 21 ' 5 and 
T = M = 2 43 . The precomputation time is P = 2 64 - 5 . Since the counter used 
in the IV is only 22 bits long, it seems more reasonable to collect data that 
correspond to multiple master keys. In practice, this may have been obtained 
from multiple users. When one of these keys is recovered, it can be used to 
decrypt messages encrypted with the same key and different IVs. 

The authors are not aware of the actual situation, but if only a small portion 
of the possible counter values are used in real life (this would happen if the 
counter always started from zero), i.e., if the entropy of the counter is smaller, 
the attacker’s position is strengthened further. 

3.5 Designing TMTO Resistant Streamciphers with IV 

The level of threat brought about by a TMTO attack depends largely on the 
environment. But a good streamcipher design would be aimed at resisting these 
threat under any plausible environment it could be in. If one views TMTO 
attacks as threat to streamciphers, one of the following measures should be 
taken. 

1. Ensure that, in every implementation of the cipher, the collective entropy of 
key and IV will always be at least twice that of intended security level. In 
particular, the length of key and IV should add up to at least twice security 
level and the IV should not be used in a predictable way. During the state 
initialization process, the collective entropy of key and IV should not be 
allowed to decrease below twice key size. 

2. If you are designing a general purpose streamcipher, and do not know in what 

manner your cipher is going to be used, claim security level corresponding 

to half your key size. Then, arbitrary use of IV may be allowed. Entropy of 

internal state after initialization should not be smaller than that provided 
by key size. 
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Here, in saying that the IV usage should be random, we mean it to be un- 
predictable from the viewpoint of a TMTO attacker preparing a table. So, for 
example, as long as the starting point is chosen at random, the IV may be sup- 
plied through a counter for a limited period of time. This possibility was pointed 
out in [8] in response to an earlier version of this paper. 

Pre- Computation Time: As mentioned in Section 3.1, the pre-computation time 
can be less than exhaustive search if D = N a with a > v/ (k + v). Thus, one 
approach to securing streamciphers against TMTO with less than exhaustive 
pre-computation is to ensure that the access to multiple data is restricted to at 
most N v / ( fc +0 . Any value of k and v satisfying this condition can then be used. 

4 Blockcipher Modes of Operation 

In this section, we consider several non-trivial applications of multiple data cho- 
sen plaintext TMTO attacks to different blockcipher modes of operations. We 
were able to do this successfully on every mode we have considered. This seems 
to indicate that, in general, all blockcipher modes of operation are vulnerable to 
TMTO attacks. 

4.1 ECB, CTR, OFB 

For the ECB mode of operation, TMTO that utilize multiple data may be used 
if the attacker’s objective is to recover any single one of the multiple keys that 
encrypted the same chosen plaintext. 

Counter mode is in a very similar situation if counter usage is predictable. 
The counter value predicted to be used gives us a basis for the chosen plaintext 
attack, and when the corresponding ciphertext is given, the key may be recovered 
in time shorter than key exhaustive search. After this, all other text encrypted 
with the same key may be decrypted. 

As we already saw in the GSM example, OFB mode of operation is essentially 
a streamcipher with IV, and arguments of the previous section apply. 


4.2 CBC Mode of Operation 

Consider a blockcipher where message, IV and cipher lengths are b bits. Let the 
key length be lb bits. (Note that l need not be an integer and we denote A = [7], 
p, = l—[l\.) The encryption function Ek maps a 6-bit string to a 6-bit string. For 
a plaintext mi, m 2 , ■ ■ ., with each m, = 6, the CBC encryption with an IV V, 
produces a ciphertext ci, C2, . . . as follows: c* = Ek{mi © Cj_i), where we assume 
c 0 = V. 

Let to be a fixed 6-bit string. For example, if we are dealing with a 64-bit 
blockcipher, we let to be 8 ASCII space characters. This definition of to also 
appears in the original work by Heilman [16]. 
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For any 6-bit IV V and /6-bit key k, we define a one-way function / : 
{0 ; l}«+i)6 _ {0, l}(*+i)6 as f(k\\ V ) = dUcall •• ■ lk#4 where 

f(k\\V) = E h (m® V) \\ E k (m® ci) || • • • || E h (m 9 c A _i) || prefix^ ( ^(rn ® c A ) ). 

(Here prefix^x) denotes the /-bit prefix of the binary string x.) Then the output 
of / is the (/ + l)6-bit prefix of the encryption of the plaintext M which consists 
of A + 1 repetitions of the 6-bit message to using the key k and IV V. 

The / defined above is the target one-way function to be inverted. We incor- 
porate multiple data in the following manner. Let C1C2 . . . cd+x be a ciphertext 
obtained by encrypting a plaintext consisting of D + A many repetitions of the 
6-bit message to using an unknown key k and IV V. For 1 < i < D, define 
Ci = Ci . . . c\+i . Due to the self-similar structure of CBC chaining, we have the 
following relationships. 

1. Ci is the CBC encryption of M using key k and IV V. 

2. C2 is the CBC encryption of M using key k and IV c\. 

3. C3 is the CBC encryption of M using key k and IV C2. 

4. In general, Of is the CBC encryption of M using key k and IV c,_ i . 

Then by the definition of /, we have /(fe||cj_i) = D< = prefiX( ;+ -^ 6 C,;, for 1 < 
i < D. Inverting / on any of the Dj ’s will yield k (and also Cj_ 1). If the IV V is 
not public, we could just ignore the first block and think of the second block as 
starting a CBC mode with the IV set to the first ciphertext block, decrypting 
from the second block onwards. Further, the repetitions of to need not be at the 
begining of the message. If there are D+ A repetitions of to occurring somewhere 
in the message, then we can use the known ciphertext block preceding the D + A 
repetitions as the IV and obtain the required D data points. 

This establishes a multiple data scenario for attacking the CBC mode of 
operation. Here the search space is N = 2pW& while the key space is 2 lb . 
Assuming the curve TM 2 D 2 = N 2 holds, an optimal point of T = M = TV 1 / 2 , 
D = N V 4 yields an attack if and only if N 1 / 2 < 2 lb , i.e., 2^ l+1 '> b / 2 < 2 lb which 
holds if and only if l > 1. Thus, 6 = 128 and / = 2 gives an attack. This situation 
corresponds to AES with message and cipher length equal to 128 bits and key 
length equal to 256 bits. Similarly, the parameters 6 = 128 and l = 1.5 gives an 
attack corresponding to AES with 128-bit message block and 192-bit key. 

The discussion on pre-computation time is similar to that presented in Sec- 
tion 3.1 and hence is not repeated here. 

OMAC OMAC [19] is a NIST standard for encryption and authentication. It is 
a one key CBC with the capability of producing an authentication tag. Ignoring 
the MAC, the TMTO attack on CBC also works for OMAC. 

4.3 CFB and TBC Modes of Operation 

CFB is the other mode of operation which Heilman remarked to be secure against 
known plaintext TMTO attacks. However, the situation with CFB is exactly the 
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same with CBC, i.e., CFB is equally susceptible to chosen plaintext TMTO 
attacks. 

As before, let E k be the encryption function of a blockcipher with 6-bit 
message, IV and cipher blocks and Z6-bit key blocks. Given a plaintext of 6- 
bit blocks rni,m 2 , . . ., and an IV V, the CFB mode of operation produces a 
ciphertext ci, C 2 , . . ., where c* = to* ® Ekfe-i). As before, we assume Co = V. 

The one-way function to be inverted is defined from (l + l)6-bit strings to 
itself in the following manner. As before, let m be a fixed 6-bit message string. 
Then, given a Z6-bit key k and a 6-bit IV V, we define, 

f(k\\v) = to 0 E k ( V) 1 1 to 0 E k (c 1 ) 1 1 • • • 1 1 to® E k (c x ~ 1 ) 1 1 prefix^ (m 0 E k (c\)). 


Now the entire discussion given for CBC applies. Also, the same argument applies 
to tweakable blockciphers [21] running in TBC mode. It suffices to use tweak in 
place of IV. 

4.4 Other Modes of Operation 

We have considered OCB [24], CMC [14], and EME [15] modes of operation. 
With the attacker given full power with respect to pre-computation and data 
availability, if key (two keys are used for CMC, but we can treat them as one 
long key) is any longer than IV, nonce, or tweak, these modes cannot provide 
security level equal to key size. 

4.5 OCB 

The mode OCB [24] produces MAC in addition to the ciphertext. Encryption 
part of OCB is similar to ECB, except that one extra key-like element is used 
for each block of encryption. These key-like elements are derived from a key and 
nonce pair, and is updated for each block of additional encryption. 

From the view point of TMTO, the MAC output part is no different from 
the ciphertext. As before, we use the chosen plaintext attack scenario and define 
the oneway function to send (key, nonce) pair to (ciphertext || MAC). 

4.6 CMC, EME 

Let us consider the CMC [14] and EME [15] modes of operation. A tweak in addition 
to a key (two keys are used for CMC, but we just consider them as one long key) is 
used. These are two-pass encryption modes and every bit of the ciphertext depends 
on the whole input text. TMTO should provide the attacker with a key (in addition 
to the tweak). This can then be used on ciphertexts using different tweaks. 

We fix a plaintext and define the oneway function / as follows. The function 
/ takes as input a pair (key, tweak) and encrypts the plaintext to obtain the 
ciphertext. This is hashed (by a collision resistant hash function) to obtain a 
string of length equal to |key| + |tweak|. This string is the output of /. In the 
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online phase, we will have a ciphertext and can hash it to obtain a string in 
the range of the oneway function. Finding a pre-image of the range element will 
provide the secret key (and also the tweak) . 

These modes of operations extend a small block length pseudorandom per- 
mutation to a wide block length pseudorandom permutation. The intended ap- 
plication is for in-place disk encryption, where the tweak is the sector address 
and the plaintext block consists of the contents of the corresponding sector. 
Thus, block length is quite large (around 512 bytes). The reason for using hash 
function in the definition of the oneway function is so that we do not record this 
long ciphertext in the table. 

It is quite possible that the contents of many of the sectors are identical, 
which is especially true if the sectors are not in use. In such situation, we can 
utilize multiple data by obtaining the ciphertexts corresponding to different sec- 
tor addresses (tweaks) among the sectors containing our fixed chosen plaintext. 
Inverting any of the points will reveal the master key (and the corresponding 
tweak), which can be used to decrypt other blocks. 

5 Hash Function 

With the demand for small hash functions increasing in relation to its possible 
use in RFIDs, the relatively less interesting results we have concerning hash 
functions may have implications on hash designed for those environments. 

Simple hash We could not find reasonable application of TMTO to collision 
finding, but obtaining preimage or second preimage quickly with the added ad- 
vantage of pre-computation time seem to be plausible attack scenarios not con- 
sidered before. Applying TMTO to the oneway hash function itself, with the 
message space appropriately restricted, one can see that no hash function can 
achieve preimage resistance security level equal to its digest size. 

Keyed hash and MAC Under the chosen plaintext attack model, keyed hash (or 
MAC) is very similar to the ECB mode of operation. Sending key to the keyed 
hash value of a fixed plaintext is the oneway function to be considered. Attacker’s 
objective is to recover the key, given the keyed hash value corresponding to the 
chosen plaintext. Once the key is obtained, it could be used to forge other hash 
(or MAC) values. TMTO applies as before and security level equal to key size 
cannot be reached. 

6 Asymmetric Algorithms 

In many cases of public key algorithms, the relevant oneway functions satisfy the 
so-called random self reducibility property, i.e., solving one particular instance 
of the problem is as hard as solving a random instance of the problem. This is 
usually shown by converting a specific instance to a random instance. We would 
like to point out that this provides a natural way of applying multiple data 
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TMTO, even when a single data item is obtained from the application domain. 
This is also true for the so-called homomorphic encryption algorithms, whereby 
knowing the encryption of a single message, it is possible to create encryptions 
of many related messages. 

In symmetric key algorithms, usually the security level expected of an algo- 
rithm is equal to its key size. This is far from true in the asymmetric world. 
Hence TMTO algorithms, the best of which only halves the security level, is less 
interesting here. Nevertheless, to show that TMTO is a versatile tool, we shall 
apply tradeoff methods to some asymmetric algorithms. 

6.1 NTRUEncrypt 

Let us consider the 80-bit security version of NTRU public key cryptosystem [2]. 
Latest parameter set [18] specify a message space of 2 251 size. Of the 251 bits, 
only about | is used for the actual message and the rest is filled with a randomiz- 
ing value. (This situation resembles the key+IV situation considered in previous 
sections and shows that even probabilistic algorithms are not completely out of 
reach from TMTO.) What is important is that, for a fixed public key, once the 
251-bit input is formed, the rest of the encryption process is deterministic from 
that point on. We can take this deterministic encryption process as our oneway 
function / and apply the tradeoff point T = M = AT 2 / 3 to obtain a message 
recovery attack of 2 167 ’ 3 complexity. 

Actually, we can do better. As mentioned in Section 2, if / is a permutation, 
then a better tradeoff point T = M = N 1 /' 2 applies. Notice that encryption is a 
bijective process (the so called wrapping failure no longer occurs for parameters 
presented in [18] ) . Hence, even though there are some complications, arguing that / 
is a permutation is reasonable. In such a case, attack complexity goes down to 2 125 - 5 . 

We have shown that at the cost of exhaustive pre-computed encryption with 
a fixed public key, one can decrypt any ciphertext with online time and memory 
complexity 2 125 5 . This is larger than, but close to, the best known attack on 
NTRU of complexity 2 106 , which happens to be another time memory tradeoff 
called the meet-in-the-middle attack. To bring multiple data into the picture, 
one might consider the situation where multiple encrypted messages are given 
to the attacker and inverting just one is good enough. 

Similar arguments as given above apply to all public key encryption schemes. 
Also, for other public key schemes there can be alternative oneway functions to 
consider. For example, one may consider the function from the decryption key 
to the plaintext for a fixed ciphertext. It might not always be valid to consider 
this, but in the cases it is valid, applying TMTO to such a function will yield the 
decryption key. We do not discuss these issues further, since for such applications, 
TMTO does not appear to be a realistic threat. 

6.2 Signature Schemes 

Many signature schemes send a triple (to, k, r) consisting of message, key, and 
randomizing value to a signature (x, s). Here, x is a function of the random value 
r and sometimes also of to, and s is a function of all inputs. 
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One fixes a message m likely to be signed by the victim in the near future 
and apply TMTO to the function (k,r) h- > (x,s). Depending on the relative 
size of k and r, this could be efficient than key exhaustive search. However, the 
attack complexity will not go anywhere near the claimed security level of the 
signature schemes. Alternatively, one could apply TMTO to the (r, m) i— > x part 
first (under chosen plaintext scenario), and use the obtained r to recover k, for a 
more efficient attack. Thus, there are several possibilities for candidate oneway 
functions, possibly different from the oneway function the designer had in mind. 


7 General Framework for TMTO Application 

Through arguments of this paper, we have seen that TMTO can be applied to 
many different situations in a very versatile way. In this section, let us take for 
granted that TMTO is a general method for inverting well-behaved oneway func- 
tions, and explain a general method for applying it to cryptographic situations. 

In all of the cryptographic situations considered in this paper, under an 
appropriate attack scenario, we could devise a oneway function of the following 
form. 

f : K x V —> C. (2) 

Here, K denotes the secret values the attacker is trying to obtain, and V refers to 
the set of auxiliary values which is, in many situations, public but not controllable 
by the attacker. The set C contains the output values and specific targets from 
this set is given to the attacker at the online stage of TMTO. What these sets 
refer to in the various situations considered in this paper is listed in Table 1. In 
some cases, V is missing from the cryptographic system, in which case we think 
of V as containing a single element. 


Table 1. Fitting various cryptographic situations into TMTO framework 


situation 

K 

V 

C 

block 

ECB [16], CTR 

key 


single ciphertext block 

OFB, CBC, CFB 

key 

IV 

ciphertext blocks 

TBC 

key 

nonce 

ciphertext blocks 

OCB 

key 

nonce 

ciphertext blocks + MAC 

CMC, EME 

key(s) 

tweak 

ciphertext blocks 

stream 

previous [4,7,12] 

state 


keystream of state size 

simple 

key 


keystream of key size 

with IV 

key 

IV 

keystream of (key+IV) size 

hash 

preimage 

message 


hash value 

keyed 

key 


hash value 

public key encryption 

message 

randomizing value 

ciphertext 

signature 

key 

randomizing value 

signature 
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Once a oneway function is fixed, in most cases, we will want to be able to 
apply / iteratively. This can be taken care of by applying a random hash 

h:C^KxV. (3) 

The second thing we should consider is that most of the TMTO algorithm will 
apply with better success rate if h o / is close to an injection so that a target 
uniquely determines the pre-image. As long as set C is larger than K x V, for 
most cryptographic applications, this can be naturally expected of the system to 
some degree. If C is smaller than Kx V, one should find some way to deform / so 
that the image space is larger. We saw through chosen plaintext attack scenarios 
that this could easily be done by simply increasing your plaintext length so that 
the output is long enough. In other situations, for example, if V contains publicly 
known values, using a hash h! : V — > V' of appropriate length and setting 

f :KxV^C' = CxV' (k,v) i-> f(k,v)\\h'(v) (4) 

could be another solution. One should keep in mind that the image must be some 
value that is either public or can be calculated from publicly available data. 

We can now write up a set of guidelines for applying TMTO to a crypto- 
graphic system. 

1. Identify a (oneway) function / : K x V — > C, inverting which will reveal a 
secret information of the attacker’s interest, belonging to K. This function 
need not be the oneway function the designer of the system based his system 

2. K and V should be taken as small as possible, allowing it to be just big 
enough to reflect the actual entropy of values used. 

3. If needed, adjust the function so that the entropy of function image space is 
equal to its input space. This will help in making the function / injective, 
hence raising the success probability of attack. 

4. Lower attack complexity can be achieved if it is possible to devise an attack 
scenario where the attacker is given multiple target points in the image space 
of / and finding the inverse image of any one of those points is good enough. 

5. Depending on the reasonable amount of target points available, apply a 
suitable TMTO method to obtain a secret value in K. 

6. When abundant data is at hand, TMTO with D = TV 1 / 4 ; T = M = TV 1 / 2 is 
applicable, and the attack is meaningful whenever \K\ > \V\. At the other 
extreme, with one data point and oneway function of bad characteristics, we 
could apply the TMTO of Fiat and Naor [10], and the attack is successful 
when \K\ > |V| 3 . 

We can summarize all this by saying that the most difficult task of applying 
the TMTO to a cryptographic system is finding a plausible scenario of attack, 
preferably in which a large set of data is available. Once this is done, the rest of 
the process comes naturally. 
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8 Conclusion 

TMTO is basically a generic oneway function inverter. To attack a specific system 
with these TMTO methods, it suffices to identify a suitable oneway function, 
inverting which will provide one with a secret. In doing this, one should open their 
eyes to oneway functions hiding in the system, different from the one designer 
of the system had in mind. Success of TMTO depends heavily on the available 
amount of data, so devising an appropriate scenario of attack is also crucial. 

By applying generic TMTO to blockciphers in ways not tried before, we have 
confirmed that TMTO has security implications, not only to ECB, but to most 
blockcipher modes of operation. We have also shown that TMTO affects the 
security of every streamcipher, not only those with small internal states. 

We conclude with the remark that TMTO as a general oneway function 
inversion technique is more powerful and versatile a tool than is currently known 
to the crypto community. 
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A Known Versus Chosen Plaintext TMTO Attacks on 
Blockciphers 

The issue of known and chosen plaintext attacks was briefly mentioned in Sec- 
tion 1.2. We continue the discussion here. 

Heilman’s attack on the ECB mode of operation uses a oneway function / 
defined as follows. Fix a message block to and define a map from key to ciphertext 
by /(&) = Fjt-(m). Suppose, we are given a ciphertext c which is the encryption 
of to under an unknown key k, i.e., f{k) = c. If we can invert / on c, then we 
can hope to find k. Clearly, for this attack to work, we must have an encryption 
of to and hence the attack is actually a chosen plaintext attack (CPA). 

Heilman explains that this can also be turned into a known plaintext attack 
(KPA) or ciphertext only attack (COA) in the following sense. Suppose to is a 
block which occurs very frequently, for example a string of blanks. For a KPA, 
the cryptanalyst looks for the occurence of to in the plaintext and inverts / on 
the corresponding ciphertext block to obtain k. For a COA, the cryptanalyst will 
look for repetitions among the encrypted message. For each frequently repeated 
ciphertext block, he will try to invert /. If the block encrypts to, then he finds 
k, else he fails. The time required for the COA increases, since many trials 
might have to be done before actually finding an encryption of to. Note that for 
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successful conversion of CPA to KPA and to COA, the block m must occur in 
the (unknown) plaintext corresponding to target data. Thus, if the target data 
is given randomly, then the above conversions are not meaningful. Furthermore, 
in Heilman’s CPA converted to KPA or COA, there is no way to utilise multiple 
data to bring down the pre-computation time. 

Our attacks on the CBC and CFB modes of operations in Section 4 are CPA. 
As in Heilman, we need to fix a plaintext and then define the oneway function 
to be inverted. To utilise multiple data, our fixed plaintext consists of D + A 
repetitions of to. Again, as in Heilman, we need to choose to and D such that 
D + A repetitions of to is likely in an actual message. Then we can convert 
the CPA to KPA by inspecting the obtained plaintext for D + X repetitions of 
to. We consider the corresponding portion of D + A ciphertext blocks. Using 
the ciphertext block preceding this portion as the IV, we can use the D + A 
ciphertext blocks to obtain D data points required for the attack. Again, as in 
Heilman’s case, this conversion is not meaningful if the data corresponding to 
random plaintext is given. 

It might appear that for a meaningful KPA, we need a larger portion to be 
frequently repeated than is required by Heilman. Though this is true, the actual 
requirement might not be too high. For example, if A+l repetitions of to occur in 
the plaintext, we can launch an attack with D = 1. Having more blocks increases 
D and the efficiency of the attack. 

Conversion of the CPA on CBC and CFB to COA is also possible, though it 
becomes less efficient. Suppose that we want to utilise D data points and in the 
pre-computation phase have prepared the tables to cover N/D data points. In 
the online stage, we do the following. We slide (one block at a time) a window 
of D + A blocks over the ciphertext. Each window gives us D data points and 
if we perform the online search of the TMTO, with a constant probability of 
success we will get a hit. However, the k obtained may not be the correct key 
since there is no guarantee that the D + A blocks correspond to an encryption 
of D + A repetitions of to. We can easily verify this by decrypting a portion or 
whole of the ciphertext using this k. On the other hand, if the window of D + A 
ciphertext blocks actually correspond to an encryption of D + A repetitions of to, 
then we have the correct key. Hence, if the unknown plaintext indeed contained 
D + A repetitions of to, then by trying out all possible windows we are assured 
of success. This pushes up the online time by a factor which in the worst case is 
equal to the number of blocks in the obtained ciphertext. This makes the attack 
less efficient, though it still remains meaningful under our assumption on the 
data. 

B When Should We Start Building a Table? 

We consider the question of whether it makes sense to start the long-term pre- 
computation search today. 

Moore’s law It has been observed that processor power doubles every 1.5 years. 
Let us assume that this will be true for the foreseeable future. Going back to 
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high school mathematics, we can write the processing power p(t) at time t as 

P(t) = a- 2i*. (5) 

We will take t = 0 to correspond to today, in which case, constant a will be our 
current computational power. 

Example table creation Let us consider Hellmans’s TMTO on AES as an exam- 
ple. The pre-computation stage will be an exhaustive processing of all 128-bit 
keys. On a desktop PC, AES encryption runs at 488 Mbps, which translates 
to about 2 47 -many 128-bit blocks per year. We should consider the keyschedule 
also. Assuming that it runs at about the same speed as the encryption, we can 
take 

a = 2 46 “key i— > ciphertext” mappings/year. (6) 

So how long would the table creating take? Solving for T in 



we find that the table creation will end T = 121.3 years from now. This assumes 
that the computer is constantly upgraded. 

Starting later What happens if we do nothing for 120 years, and only then start 
building the table? Our computation power will be a = 2 46 -23 120 = 2 126 . Solving 
for T' in 



we find that the table creation will take T' = 2.3 years, hence ending 122.3 years 
from now. So we are late by one year than what was achievable. But, is finishing 
one year earlier really worth the trouble of upgrading the computer constantly 
for 120 years? 

In general, given any computation that takes n years from now to complete, 
if one starts the computation n years later, it can be finished in less than 1.5 
years from then on. 
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Abstract. In this paper, we introduce a new cryptanalysis method for 
stream ciphers based on T-functions and apply it to the TSC family 
which was proposed by Hong et al. Our attack are based on linear ap- 
proximations of the algorithms (in particular of the T-function). Hence, 
it is related to correlation attack, a popular technique to break stream 
ciphers with a linear update, like those using LFSR’s. 

We show a key-recovery attack for the two algorithms proposed at 
FSE 2005 : TSC-1 in 2 2 ' 5 ' 4 computation steps, and TSC-2 in 2 48 1 steps. 

The first attack has been implemented and takes about 4 minutes to 
recover the whole key on an average PC. Another algorithm in the fam- 
ily, called TSC-3, was proposed at the ECRYPT call for stream ciphers. 
Despite some differences with its predecessors, it can be broken by sim- 
ilar techniques. Our attack has complexity of 2 42 known keystream bits 
to distinguish it from random, and about 2 66 steps of computation to 
recover the full secret key. 

An extended version of this paper can be found on the ECRYPT 
website [23]. 

1 Introduction 

1.1 Background 

Together with block ciphers, stream ciphers are the second important family of 
symmetric encryption primitive. They work by generating a long pseudo-random 
sequence (generally called the keystream) from a short key. Then, a message is 
encrypted by a simple XOR with the keystream and the decryption works the 
same way. The keystream should not be distinguishable from a random sequence 
to make the cipher secure. Even if the cryptographic security is the main issue, 
the efficiency of the algorithm has also to be taken in account. Indeed, speed is 
the main advantage of stream ciphers over block ciphers. 

Nowadays, designing a stream cipher is risky and the existence of good block 
ciphers has brought some issues about the future of stream ciphers [2, 24]. How- 
ever, some particular domains continue to be active. For example, fast software- 
oriented stream ciphers may still be needed, as well as hardware-oriented designs 
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with a small footprint for resource constrained devices. A call for primitive has 
recently been launched by the european ECRYPT project and many new algo- 
rithms have been proposed for this occasion [6,7]. 

A classical approach for stream cipher design is the use of Linear Feedback 
Shift Registers (LFSR). Such primitives have to be combined with nonlinear 
Boolean functions to break the linearity. Due to the apparition of new attacks 
(like algebraic attacks [1,4]), new primitives have been introduced to replace 
LFSR’s. A nice example are the Triangular-functions (T-functions) by Klimov 
and Shamir [13, 14] . They are a new class of mappings, with the property to be 
computable from Least Significant Bits (LSB) to Most Significant Bits (MSB). 
This is well suited for implementations, because many operations available on 
processors (like +,*,XOR,OR,AND) are T-functions. T-functions are not (nec- 
essarily) linear and, for appropriate choices, they can be permutations with one 
single cycle, which is useful for stream ciphers design. Klimov and Shamir also 
extended their theory to multi-word T-functions and provided some results in 
other domains such as block ciphers and hash functions [12, 15, 16, 17]. 

The first T-function Based Stream Ciphers (TFBSC) were proposed in the 
original papers by Klimov and Shamir. More recently, Hong et al. proposed 
a new class of single cycle T-functions, which have the property to use S- 
boxes [10]. They described two new algorithms. The first one, TSC-1, is de- 
signed for hardware environment and the second, TSC-2, can be implemented 
very efficiently in software. Several attacks have also been published. At Asi- 
acrypt 2004, Mitra and Sarkar [22] described a time-memory trade-off attack 
which breaks some of the algorithms proposed by Klimov and Shamir. Kiin- 
zli, Junod and Meier recently found distinguishing attacks applicable to many 
TFBSC’s [19]. Taking into account these results, Hong et al. proposed a new 
algorithm, called TSC-3 at the ECRYPT competition for stream cipher [7]. 
This algorithm is an improvement over its two predecessors, in order to thwart 
the published attack [11]. However, the basic construction remains roughly the 
same. 


1.2 Contribution of the Paper 

Our contribution in this paper is to present a new cryptanalysis method 
for TFBSC’s. Our idea is to mount a statistical attack using linear approx- 
imations of the cipher. First, we linearize the behavior of the T-function by 
considering several consecutive steps. Next, we linearize other components, like 
the output function. Then we describe how to recover the secret key by com- 
bining all these linear approximations. This framework is closely related to cor- 
relation attacks against LFSR-based stream ciphers [21,25] and also to linear 
cryptanalysis against block ciphers [20]. 

It applies very efficiently to the TSC family. Indeed, we can break TSC-1 with 
time complexity of 2 25 4 steps and data complexity of 2 214 keystream words. 
Similarly, TSC-2 can be broken with 2 44 1 data and 2 48 1 time. We implemented 
the first attack against TSC-1. It needs about 4 minutes to recover the whole 
initial secret key (Pentium-Ill 700 MHz). 
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Table 1. Summary of attacks against the TSC family 


Algorithm 

Type of Attack 

Time 

Data 

TSC-1 

Distinguishing [18, 19] 

2 22 

2 22 

TSC-1 

Distinguishing 

2 19 

2 16 

TSC-1 

Key-recovery attack 

2 25.4 

2 21 ' 4 

TSC-2 

Distinguishing[19] 

2 34 

2 34 

TSC-2 

Key-recovery attack 

2 48 ' 1 

2 44 ' 1 

TSC-3 

Distinguishing 

2 42 

2 42 

TSC-3 

Key-recovery attack 

2 66 

2 34 


This cryptanalysis method also applies against the ECRYPT proposal TSC-3, 
although some adaptations are needed. In particular, the linear approximations 
we use are a little bit more complicated than in the case of TSC-1 and TSC- 
2. We describe how to distinguish the output of TSC-3 from random data by 
processing about 2 42 keystream words. This observation can be extended to a 
key-recovery attack with time complexity of 2 66 and data complexity of about 
2 34 keystream bits. 

These attacks are the first key recovery attacks against the TSC family (dis- 
tinguishing attacks have already been pointed out in [18,19]). Table 1 summa- 
rizes all these results. We also point out some important requirements for the 
design of T-function based stream ciphers. In particular, the existence of good 
linear approximations of the T-function over several consecutive steps should be 
avoided. 

To begin, we review the basic properties of T-functions. Secondly, we overview 
the existing TFBSC and the existing attacks. In Section 4, we give a general 
framework to attack TFBSC. Next, we describe how this framework applies to 
break TSC-1, TSC-2 and TSC-3. 

2 Introduction to T-functions 

We give a short review of T-functions results; readers can see [12] for further 
details. 


2.1 Single- Word T-functions 

Basically, a single-word T-function is a mapping on a n-bit word where the bit 
i of the output can depend only on bits 0, 1, ■ • ■ , i of the input. For example, 
most arithmetic operations, like addition, subtraction and multiplication are T- 
functions. It is also the case of most logical operations (OR,AND,XOR). These 
operations are called primitive operations. They are useful because they are 
available on most processors and can generally be executed in one clock cycle. 

Moreover, the composition of two T-functions is a T-function, which allows 
to design a large number of such functions. Klimov and Shamir developed tools 
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in order to study their invertibility and their cycle structure. In particular, some 
families provide a great feature: a single cycle of maximal length. However, single- 
word T-functions are not useful by themselves as n is usually limited on modern 
processors (to 32 or 64 bits). To increase the state size, it is better to use, for 
instance 4 words of 64 bits instead of one word of 256 bits. 

2.2 Multi-word T-functions 

The definition of T-functions can be extended to multi-word T-functions: the bit 
i of any output word depends only on bits 0 to i of each input word. 

More formally, let x represent m words of n bits each denoted by x t with 
0 < i < m. We get x = Also, [x j\ { will refer to the i-th bit of a word 

Xj, seen as an integer: 


H = X>1< 2 ‘- 

i= 0 

Then [x] i denotes the layer of i-th bits of the m words x* composing x. Thus 
we also get: 


Here is a clear depiction: 


Wi = E 

k=0 



MSB 


LSB 


Mo 


Definition 1. A (multi-word) T — function is a map 

j ({0, l} n ) m — * ({ 0, l}") m 

1 x N_ > T(x) = (T fc (x))£^ 

sending an m-tuple ofn-bit words to another m-tuple ofn-bit words, where each 
resulting n-bit word is denoted as 7\(x), such that for each 0 < i < n, the i- 
th bits of the resulting words [T(x)]j are functions of just the lower input bits 
[x]o ! [x] L ,...,[x] i . 

We can also define a mapping from n-bit words to n-bit words in which the bit 
i of the output depends only on bits 0,1,...,*— 1 of the input. Such mappings 
are called parameters and are useful to construct interesting T-functions. 
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2.3 Properties of T-functions 

We focus on multi-word T-functions, since they are the most interesting for 
stream cipher design. Basically, two properties can be expected : 

— invertibility : This avoids a loss of entropy, if the T-function is used to 
update the state of a stream cipher. 

— single-cycle : It is important for security that the sequence of internal states 
has a large period. A single cycle of maximal length 2 nm is even better, but 
is possible only if the T-function is invertible. 

Klimov and Shamir proposed a method to construct T-functions which exhibits 
the single-cycle property. Their analysis is based on odd and even parameters 
(see [15] for more details). 

Another approach was recently proposed by Hong et al [10] : Let x = {xk)f!Zo 
and y = ( y k )™=o de two multi- words and let a be a single word. We note x ® y 
and a ■ x defined as : 

x © y = (x k © Vk)T=o and a ' x = {ot A x k )™~Q . 

We also note ~ a the bitwise complement of a. 

Theorem 1. Let S be a single cycle S-box and let a be an odd parameter. If S° 
is an odd power of S and S e is an even power of S, the mapping 

T(x) = (a(x) • S°(x)) ® (~ a(x) • S e (x)) 

defines a single cycle T-function. 

3 Existing TFBSC’s 

3.1 Klimov and Shamir’s Ciphers 

After introducing the concept of T-functions, Klimov and Shamir proposed sev- 
eral examples of TFBSC [15, 16]. All are based on a similar construction. 

Let C 0 be an odd number, Ci = 0x12481248 and C 3 = 0x48124812. We 
set ao = xq and Oj+i = cq A Xi+i for i = 0,1,2. We also have a = ce(x) = 
(a, 3 + Co) © a 3 . The following mapping is a single cycle T-function operating on 
64- bit words: 


( X3 \ 

( X 3 ® 

( a A 02) € 

B {2xo{x x V Ci)) \ 

X 2 

| 1 Z2 ® 

( a A ai) € 

B (22:0(0:3 V C 3 )) 

x 1 

Xl © 

(aAa 0 )( 

B (22:2(2:3 V C 3 )) 

\x 0 J 

V^o ffi 

a € 

B (22:2(2:1 V Ci)) / 


Mitra and Sarkar described [22] a time-memory trade-off attack on a stream 
cipher based on (1) with a very simple output function. They analyzed the 
multiplicative part of the update function and managed to recover the initial 
secret key in 2 40 time, 2 24 space and less than five 128-bit blocks of keystream. 
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3.2 The TSC Family 

Hong et al. provided two TFBSC’s deduced from their new single-cycle T- 
functions family given in Theorem 1. For all algorithms, the number of words is 
m= 4. While Klimov-Shamir’s proposal are software-oriented designs (with the 
use of integer multiplication), the TSC family is S-box oriented. In particular, 
the authors have suggested an implementation method for TSC-1 and TSC-3 
which could make them suitable as hardware-oriented designs. 


TSC-1 

TSC-1 uses 4 words of n = 32 bits each, hence the internal state has size 128 
bits. First a single-cycle S-box Si operating on 4 bits is defined : 

Si [16] = {3, 5, 9, 13, 1, 6, 11, 15, 4, 0, 8, 14, 10, 7, 2, 12}; 

The following function is an odd parameter : 

a(x) = (p + C) ® p ® 2s, 


where C = 0x12488421, p = xq A Xi A x 2 A £3 and s = xq + Xi + x 2 + X3. 
According to Theorem 1 with S° = Si and S e = Sf, the following T-function is 
single-cycle : 

T(x) = (a(x) • Si(x)) ® (~ a(x) • S?(x)). (2) 

Finally, 32 output bits are produced after application of T by: 

/( x ) = (^0^:9 + Zl)<g;15 + (%2<2gL7 + £3), (3) 

where the symbol <gC denotes left rotation. Every addition is done modulo 2 32 . 
It is proven that the period of this T-function is 2 128 . 


TSC-2 

TSC-2 is quite similar to TSC-1. It uses a different S-box : 

S 2 [16] = {5, 2, 11, 12, 13, 4, 3, 14, 15, 8, 1, 6, 7, 10, 9, 0}; 
and the following odd parameter: 

cr 2 (x) = {p + 1) ® p ® 2s. 

According to Theorem 1 with S° = Id and S e = S 2 : 

x 1 — » x © (a 2 (x) • (x © 5 2 (x))). 
is single-cycle. Finally 32 keystream bits are obtained by: 

/ 2 (x) = (£o<g;il + £l)<gcl4 + (^0<gC13 + x 2 )<^ 22 + (a;o<gcl 2 + £3). 
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TSC-3 

At the ECRYPT competition for stream ciphers [11], Hong et al. proposed 
the stream cipher TSC-3. It differs from its two predecessors regarding several 
elements : 

— First, it uses 4 words of size 40 bit each. This breaks the 32-bit oriented 
architecture, but it does not matter since the cipher is primarily designed 
for hardware implementations. In addition, this increases the state size to 
160 bits. Therefore the expected level of security is 2 80 , which can be reached 
by generic attacks, such as time-memory-data trade-offs [3]. 

— Secondly, each layer is still updated by S-boxes, but the branching function 
is more complex than for TSC-1 or TSC-2. Indeed, the parameter is made 
of 2 words po and p\ . For the i-th layer, one first computes the value 

tmp = 2 * [pi]i + [po]i € {0, 3} 

According to the value of tmp, [a;], is update using either S, S 2 , S 5 or S e 
where S is the same S-box as in TSC-1. 

— The output function is also modified in TSC-3. One first starts by initializing 
4 variables t/j of 32 bits each, by removing the 8 LSB’s from each aq. Then, 
the Hi s are permuted depending on the value of the least significant layer of 
the sate, [a;]o. Therefore there are 2 4 = 16 possible permutations. Afterward, 
the output function looks very much like the ones used in TSC-1 and TSC-2 : 

/( y) = (yo<g;9 + yi;s>2)<g;8 + (y2<@:7 + 2/3)^>9 

— An initialization mechanism has also been added in order to set up the state 
from a key and an IV of variable length. This mechanism is based on the 
T-function itself, but is not described here. 

For more information about these elements of TSC-3, the reader should refer 
directly to the specifications [10] or to the ECRYPT website [6] . 

4 Linear Cryptanalysis Against TFBSC’s 

4.1 Context 

Attacks based on linear approximations have many applications in cryptanalysis. 
For instance, Matsui’s attack is the best cryptanalysis of DES [20] and more gen- 
erally linear cryptanalysis has many applications for block ciphers. In the field 
of stream ciphers, popular attacks based on linear approximations have been 
developed for LFSR oriented designs and are generally referred to as correla- 
tion attacks [21,25]. Also linear cryptanalysis for stream ciphers has already 
been suggested [5, 8] and has already been applied, for instance by Golic against 
RC4 [9]. 

In the case of TFBSC, the idea of using linear approximations was first 
introduced by Kiinzli, Junod and Meier. At the rump session of FSE 2005, they 
presented a distinguishing attack against the TSC-1 requiring about 2 22 known 
keystream bits [18]. This idea is further developed in [19]. 
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4.2 A Framework for Linear Cryptanalysis of TFBSC’s 

The attack we propose is composed by three steps : 

1. find a linear approximation of the T-function. This provides a proba- 
bilistic relation between bits from the internal state of the stream cipher at 
different instants. 

2. find a linear approximation of the output function. This provides a 
probabilistic relation between keystream bits and internal state bits. 

3. combine both approximations. One goal may be to find relations in- 
volving keystream bits only, in order to obtain a distinguisher. But a more 
interesting idea is to guess some key bits in order to eliminate some terms 
in the approximations and therefore to increase the bias. 

The general idea of this framework is to remove the non-linearity provided 
by the T-function. While steps 1 and 2 are almost always possible, it can be 
hard to combine the approximations in step 3. 

More formally, let [xj]\ represent the value of the bit i from register j at time 
t. In the first step, we look for equations of the form : 



for some 6 and with |e| as big as possible. For the purpose of the attacks against 
TSC-1 and TSC-2, it turns out that we are only interested in the particular 
linear relations of the form : 



This corresponds to the probability for a given bit in the internal state to flip 
between time t and time t + 6, also called the bit-flip probability. While the 
design criteria of the TSC family [10, 11] and the first known attacks [18, 19] 
focused on these bit-flip properties, there is no reason to restrict the analysis 
to such particular cases. The cryptanalysis of TSC-3 (see Section 7) is a good 
example of attack where other types of linear approximations are needed. 

The second step depends on how complex is the output function, but it is 
generally possible to find linear approximations for the algorithms of the TSC 
family. For instance, suppose we find a probabilistic linear relation between sev- 
eral state bits [xj]\ and several keystream bits [s]j[, at time t. We combine this 
relation with the first step, to obtain a linearized relation of the form : 


©M © M l +s ) = ®([4 © I4 + *) 


(4) 


k 




which is equal to 0 with probability 0.5 (1 + e) and hopefully |e| 0. 

In the third step, we try to propose distinguishing attacks and key recovery 
attacks based on relation (4). A useful trick for T-functions, is that when we 
guess the i LSB’s of each register in the initial state, we can predict these i 
LSB’s at every instant because of the triangular structure. 
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5 The TSC-1 Case 


In this section, we apply our framework to the TSC-1 case and show an efficient 
key-recovery attack. We explain the attack by following the three steps of our 
framework. 

5.1 First Step 

We want to approximate the behavior of the state-update function between time 
t and time t + 6. By looking at the update function (2) , we observe that the i-th 
layer’s update depends on one parameter bit only, [a(x)]j. Depending on this 
bit, the 4 bits of the layer are updated using either Si or S’f : 



We assume that the parameter is uniformly distributed. Then 


Pr([a(x)] i = 0) = Pr([a(x)] i = l) = i 


for i 7^ 0. This property has been verified experimentally. We construct a binary 
tree describing the update of the i - th layer (see Figure 1). We start from an 
unknown 4-bit value a and each branch corresponds to a value of [a(x)]j. After 
j advances, there are 2 J leaves in the tree, each corresponding to a power of 


[T(x)]» I [T 2 (x)]j 



a 



level 0 


level 1 


level 2 


level 3 


Fig. 1. Possible Evolutions of the i-th layer for TSC-1 
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Si. Let K : j be the number of occurrence of S{ at the level j of the tree. The 
coefficients Kf can be computed by the formula: 

iff = ^ J with i > j. 

Using these coefficients, we can compute the probabilities of each output value 
after j advances, for each value of a. Then, we search for linear approximations 
between bits of the i-th layer at time t and at time t + j. In the case of TSC-1, 
we restrict our analysis to particular linear approximations where the same bit 
is considered twice (known as bit-flip probabilities). The authors of TSC-1 took 
them into account for the design, so the S-box has probability 1/2 to flip each 
input bit. The same holds for all powers S{ of the S-box, except for i = 4,8,12 
and 16. So nothing will be observed at the level 1 in the tree, but at further 
levels, the "weak" powers may appear with high coefficients. We explored the 
tree at depth j and computed the bit-flip probabilities for several values of j. The 
results are given in Table 2 (due to some symmetry properties, the probability is 
the same for the 4 input bits). We observe that the strongest bias are obtained 
with j = 3, 5, 8, 11. An example of good linear approximation is : 

Pr {[xi}\ © = 1) ~ 0.64 = |(1 + 0.28). 

for all i = 0, . . . , 3. 

In Table 7 of the Appendix, we give experimental results. They show that the 
observed bias match the theoretical analysis. Therefore the initial assumption 
that the parameter bits are uniformly distributed is satisfied. The only 
exception concerns the LSB of the registers. Indeed, the parameter bit is constant 
at position 0, so the previous assumption no longer holds. This analysis explains 
what Kiinzli et al. observed [18] with j = 8 and 11, although the best bias is 
obtained with j = 3. 

5.2 Second Step 

In this step, we want to "linearize" the behavior of the output function of TSC- 
1 defined by (3). This function uses addition and left rotation on 32-bit words. 


Table 2. TSC-1 : Bit Flip Probabilities for Different Depth j of the Tree 


j_ p 

1 0.5000 

~2 0.5937 

3 0.6406 

4 0.5078 

5 0.4219 

"6 0.4473 

TF 0.5479 

8 0.5996 


0.0000 

0.1874 

0.2812 

0.0156 

0.1562 

0.1054 

0.0958 

0.1992 


12 

TiT 


15 

16 


P 

0.5264 

0.4143 

0.3993 

0.4849 


0.0528 

0.1714 

0.2014 

0.0302 


0.1014 

0.0056 

0.0566 
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Left rotation is already linear, so we only have to linearize the additions. This 
can be naturally done by introducing a carry bit. For instance, when adding 
two integers ao and a\, we can express the i-th bit of the result by the linear 
expression : 

[a 0 ]i ® [ai]* © Ri 
where Ri depends on layers < i. 

Consider the addition of n integers of 32 bits called ao, . . . , a n -i ■ We note 
A = J2k = o ak and R(i) th e *-th carry. For n = 2 terms, the carry is simply one 
bit, but more generally, it is an integer formally defined by : 

rw ^ mod 2 * ) - (Efc^oK mod 2i )) mod 2i 

= 2 ~i • 

with R( 0) = 0. The linearized expression of the i-th bit of A is given by : 

I4<- [e J = [-R(*)]o © 0Ni- (5) 

U=0 J i k = 0 


In the case of TSC-1, the output function is composed by an addition with 2 
terms ( E = + x{) and an addition with 3 terms ( S = E<^ 15 + £2^7 + X 3 ) 

where S represents the output. Hence, using linearized relations (5), for any bit 
i we have: 

f [E)i = [^o] (i+23) © [^i](i) © 

( [£]» = ^(i+ 17 ) © f* 2 j(i+ 25 ) © [^(i) © [Rs{i)]o 

where Re and Rs represent the carry for the 2-term and 3-term addition re- 
spectively. All indexes are taken modulo 32. We can note that RE{i) G {0,1} 
and Rs{i) 6 {0, 1, 2}. Finally, we obtain : 


[S}i = [z 0 ](i+8) © [ah] (£+17) © [RE(i + 17)]o © [*2] (£+25) © [® 3 ](£) © [^s(f)]o- 

which is a linear approximation of the output function. 

We would like to XOR this relation at two instants t and t + b for instance 
with 6 = 3, since this is the value identified in the first step. We already now the 
bit-flip probabilities of the register bits. Now the problem is to determine the 
bit-flip probabilities of the carry bits between t and t + 3. 


5.3 Bit Flip Property of Carries 

Basically, each input bit in the additions E and S is flipped with a known 
probability, different from 0.5. As a consequence, we may expect that the carries 
also flip with probabilities different from 0.5. The goal of this Section is to 
evaluate this probability. 
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We define the "general carry" as [_R G (i)] = [-Re (*+ 17)]® [i?,s(i)]. We also call 
X Ro (i ) = [-R G (i)]^ ® [Ji G (i)]o +3 and Xj(i) = [xj]* ® [xj]\ +z . From the previous 
section, we get : 

[S ] | ffi [R]* +3 = X Rg (1) ® X 0 (i + 8) ffi X ± (i + 17) © X 2 (i + 25) ® X 3 (i) 

From the first step, we know that Pr(Xj(i) = 1) = 1(1 + el). The biases ej 
are given in Table 7 in the Appendix. So the only remaining term is X Ra (i). 
Experimentally, we observed that 


Pr(W HG (*) = 1) = i(l + ef) with |gf| » 0 

and that ef apparently depends on the position i considered. Unfortunately, we 
also observed that the two "internal" carries Rs{i) and Re{i) are not indepen- 
dent, so it is not possible to handle them separately. 

To explain this bias, we model the phenomenon as a Markov chain. Indeed, 
carries at layer i + 1 are computed only from the carries at layer i and from the 
terms in the addition, so we do not need to remember what happened previously. 
We implemented a recursive algorithm to evaluate the following probability, 
starting from the least significant bit i = 0 : 

Pri(o, b , c, d) = Pr ( = a) A (R s (i)*+ 3 = b ) 

A(R E (i + 17)* = c) A (R E (i + 17)*+ 3 = d)) 

for all possible a,b,c,d G {0,1, 2} 2 x {0, l} 2 . To compute Pr i+ i(a, b, c, d), we 
examine all cases at layer i : we try all values of the terms in the addition, we 
try all values of the carries at layer i, and we compute the new carries. Each 
event at layer i is associated with its corresponding probability, and we increment 
accordingly the probabilities of layer i + 1. After examining all cases, we know 
Pr; + i(a, 6, c, d). Then, we increment i and jump to the next layer 1 . 

In the end, we obtain the bit-flip probability of the general carry by : 

Pr(A HG (i) =1) = £ P n(a,b,c,d). 

o,6,c,d|LSB(o)©LSB(6)ec®d=l 

The experiments on TSC-1 returned the same probabilities as our computation 
by a Markov chain. These results are listed in the rightmost column of Table 7 
(see the Appendix). We now have biased linear approximations which involve 
only TSC-l’s output bits and internal state bits, so we can continue to the third 
step. 


There is a slight technicality, since the layer 0 actually depends from the layer 31 
due to the left rotation, so we do not know how to initialize the recursion. Actually, 
probabilities are quite independent from the initial value, so we can handle this 
difficulty. 
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5.4 Third Step 
Distinguishing Attacks 

It is easy to use a bias on the output of a stream cipher for a distinguishing 
attack : one just produces enough keystream bits and checks if the bias is satisfied 
or not. For a bias e, it it well known that about e~ 2 samples are needed. As an 
example, Kiinzli et al. pointed out a distinguisher requiring 2 22 output bits for 
TSC-1 [18]. Similarly, our previous analysis provides a distinguishing attack. For 
example, consider the layer i = 1 of the output. We have 

[S]\ ® [Sf+ 3 = X Rg {1) © X 0 (9) © Ai(18) © X 2 (26) © X 3 (l) 

Assuming the terms are independent, the bias are just multiplied, so 

P r K©Ki +3 = l)= 0-5(1+^) 

with : 

= e(X 0 (9)) x e(*i(18)) x e(X 2 (26)) x e(X 3 (l)) X e(X flo (l)) 

= 0.2834 * 0.2824 * 0.2732 * 0.2812 * (-0.0874) 

= _ 2 -10 - 86 

using Table 7 in the Appendix. This gives a data complexity of ejj 2 ~ 2 21 ' 7 
keystream bits, which is slightly better than [19]. 


Key Recovery Attacks 

As pointed out in Section 4.2, if we guess the i LSB’s of each register in the 
initial state, we can predict these bits at any moment. This idea can be used to 
eliminate many terms in the linear approximations. 

First, let us guess the LSB of each register. There are 2 4 = 16 possibilities. 
For any instant f, we can predict these LSB and thus eliminate all terms of the 
form Aj(0) in the linear approximations. For instance, we can predict [S’jg © 
[S’]o +3 © X 3 (0) which is biased with 

e = -0.2826 * 0.2818 * 0.2826 * 0.1906 = -2“ 7 - 86 

according to Table 7 of the Appendix. This bias will be observed only for the 
correct guess. So, with a sufficient amount of data, we can find which of the 16 
guesses is correct. The process can be repeated to successively guess all layers of 
the initial state, starting from the least significant ones. 

The complexity of guessing each layer depends on the best bias that can be 
found. For the first step of the attack, the bias is e = — 2 -7 - 86 so we need 

M = e“ 2 = 2 15 ' 72 

keystream bits to find the correct guess. The time complexity is about 
T = 2 15 ' 72 x 2 4 = 2 19 ' 72 
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steps. If we stop the attack after this step, we obtain a distinguishing attack 
which is slightly better than [19]. At each step, we can choose between several 
linear approximations (one for each of the 32 keystream bits). We always pick the 
position which gives the best results (see Table 3 for more details). Note that after 
guessing the layer 7, we can eliminate two terms in the linear approximations, 
so the complexity drops. Similarly, the complexity drops after the layer 15 (3 
terms are eliminated) and after the layer 23 (4 terms are eliminated). The full 
cost of the attack is dominated by the first layers (layer number 2 in particular). 
The total complexity is of 2 21A data and 2 25 4 time. 

6 The TSC-2 Case 

The attack against TSC-2 is similar to the attack against TSC-1. The only 
difficulty is that the bit-flip probability for the register xq is almost balanced, 
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because the authors have used a particular S-box. Unfortunately, due to some 
second order effects, we can still obtain good linear approximations of the T- 
function. Details can be found in the extended version of this paper [23]. 

The resulting complexity is of 2 48 1 time and 2 44 1 data to recover the secret 
key. This result is worse than for TSC-1, mostly because the output function is 
quite complicated (6 terms are used instead of 4) , so the observed bias is much 
smaller. 

7 The TSC-3 Case 

Since TSC-3 has some particular features compared to the two previous algo- 
rithms, the application of the attack is not exactly the same. However, it roughly 
follows the same framework. 


7.1 First Step 

The updating of any layer [a;]* of the state can still be represented in a tree- 
oriented fashion, although it is no longer a binary tree (each node has 4 
branches). Let us first suppose that the parameter words are uniformly dis- 
tributed. Then, after applying the T-function, \T(x)\i has probability 1/4 to be 
equal to any of the S^Qx],), for j = 1,2, 5, 6. Similarly, after t updates, one 
can easily compute the probability for [T t (x))i to be equal to each power of the 
S-box 2 . This is summarized in Table 4. Then we can apply essentially the same 


Table 4. Exploration of the tree for TSC-3: Probability that [T*[x]]j£ = 5 5 {[x]i) 



analysis than for TSC-1 and TSC-2. However, here we are not interested only in 
bit-flip properties. Linear relations involving one input bit and another output 
bit may be of interest, because the registers are permuted in the output function, 
so we may compare bits belonging to different registers in the next steps of the 
attack. So we focus on the linear relations of the form : 

Nlf-Mf* (6) 

for two different register indexes j,j' 6 {0,3} and for some depth 8. While the 
S-box of TSC-3 (the same as the one used in TSC-1) has good bit-flip properties, 
such advanced linear approximations have not been taken into account by the 
designers. 


Remember that S 1 
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Table 5. Probability that [x.j]\ = [xji]l +6 
Case (5 = 1 


^^Output 

Mf 

[*1 )i 

l;]\ 

[«3j| 



i +1 

0.5 

0.53125 

0.46875 

0.5 



• +A 

0.46875 

i 0.5 

0.5 

0.46875 



• +A 

0.5 

0.53125 

0.5 

0.53125 



i +1 

0.53125 

. 0.5 

0.46875 

0.5 


Case 

W| 

6 = 2 

I*3L]i 

M! 

MS 


xo 


0.515625 

0.515625 

0.5 

0.5 


X 1 

t+2 

0.5 

0.515625 

0.46875 

0.5 


X 2 


0.5 

0.5 

0.515625 

1 0.515625 


X 3 

V" 1 

0.5 

0.5 

0.5 

0.515625 


Case 



From Table 4, it is easy to derive the probability that relation (6) holds, 
for any pair of positions ( j,f ). These results do not depend on which layer 
i we consider although some side effects are observed at the least significant 
positions 3 . The results for certain values of 6 are given in Table 5. They have 
been verified experimentally, by running the cipher on a random initial state. 


7.2 Second Step 

In the case of TSC-3, the output function is not directly applied to the state 
registers, but to 4 registers yo,yi,U2 and 1/3 which are truncated and permuted 
copies of the state registers xo, x\, x% and X3. First we linearize the output func- 
tion as we did for TSC-1 and TSC-2 : 

[S]i = [2/o] (i+17) © M(i+26) © [2/2] (i+ 2 ) © [2/3] (i+9) © [-Rg(*)]o 

where ) is the "general carry", defined as before. Then, we replace the 
bits from the registers yi by the appropriate bits from the state registers x*. 
Because of the truncation and the permutation, we have [yj \ where 
7r is a 4- bit permutation determined by the layer [x]o of the internal state. The 

3 Contrarily to TSC-1 or TSC-2, these side effects are not bothering for TSC-3, since 
layers 0 to 7 are discarded by the output function. 
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linear approximations depend on this permutation. Suppose that we are in the 
particular case where : 

No = 4 

Then the next value of this layer is : 

No +1 = i 

Looking at the permutations 7r associated with these particular values, we get 

[^]i = [ x o](j+25) ® [ x l](i+34) ® [®3](i+io) ® [*a](i+17) ® Ng(*)]o 

and 

[sT 1 = Nil'll) ® No]^) © M*+\ 0) © [ Xs ]$ n) © [i? G (f )]‘ +1 

Using the Table 5, we observe that : 

Pr(M^ +25) = [*i$? 2B) ) = 0.46875 
Pr(N] 4 (i+34) = Mp + + 34 )) = 0-53125 
P r ([ ;E 3](i + io) = I X 2](^ 10 )) = 0.53125 
Pr([x 2 ]l i+m = M§^ 73 ) = 0.46875 

These 4 probabilities are of the form 0.5 (1 ± 2 -4 ). We tried to consider other 
values of [x]o than 4, but it seems to be the best choice, since the highest prob- 
abilities in Table 5 appear. Combining the two relations at instants t and t + 1, 
we get : 

[s\t ® [sr 1 = mm ® [ifcwir 

with probability 0.5 (1 + e) and |e| = (2“ 4 ) 4 = 2“ 16 . 

Like for TSC-1 and TSC-2, the carries from the additions involved in the 
output function are not independent from each other. So it is not easy to ex- 
press simply the probability that [Rg] changes between t and t+ 1. Like before, 
modeling this phenomenon by a Markov chain could provide more precise re- 
sults, but we choose to measure the probability experimentally for the sake of 
simplicity. Results for several values of i are given in Table 6. For some well- 
chosen positions (typically those were one of the carries is guaranteed to be 0) , 
the probability deviates significantly from 0.5. We observed biases as high as 
e ~ 2 -3 for "good" positions such as i = 8 or i = 23. As a consequence, 

[5] 23 © [5 , ]| 3 1 

is equal to 0 with probability of 0.5 (1 + e) and |e| ~ 2 -16 x 2 -3 = 2 -19 . 

This bias is only valid when [xq] 1 = 4, which is the case for exactly one 
position over 16 in the keystream sequence. It is straightforward to determine 
which positions should be analyzed if we guess the 4 LSB’s of the initial state. 
In the next section, we show how to exploit this bias for distinguishing and 
key-recovery attacks. 
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Table 6. TSC-3 : Bias measured experimentally on the Carry 


Position 

Pr([fl G ]' ® [fl G ]‘ +1 ) 

Position 

Pr([fl G ]‘ © [i? G ]‘ +1 ) 

f = 0 

0.5001 

i = 16 

0.4993 

i = 1 

0.4921 

i = 17 

0.4998 

i = 2 

0.4968 

i = 18 

0.4997 

i = 3 

0.4989 

i = 19 

0.4998 

i = 4 

0.5001 

i = 20 

0.5003 

i = 5 

0.5003 

i = 21 

0.5002 

i = 6 

0.5004 

% = 22 

0.4996 

i = 7 

0.4999 

i = 23 

0.4452 

i = 8 

0.4442 

i = 24 

0.4862 

i = 9 

0.4871 

i = 25 

0.4962 

i = 10 

0.4967 

i = 26 

0.4995 

i = 11 

0.4999 

i = 27 

0.5003 

I = 12 

0.4996 

i = 28 

0.5005 

i = 13 

0.4997 

i = 29 

0.4997 

i = 14 

0.5002 

i = 30 

0.4996 

i = 15 

0.4997 

i = 31 

0.5007 


7.3 Third Step 

If we exploit positions 8 or 23 of the output word, we showed in the previous 
section a bias of the order of e = 2 -19 . This can be used to distinguish TSC-3’s 
output sequence from random data, provided e~ 2 = 2 38 samples are given. Since 
only one position out of 16 in the output sequence is useful, it means that : 

M = 16 x 2 38 = 2 42 

output words are needed. In addition, we must try all values for the initial state’s 
LSB, so the time complexity is about 

T= 2 4 x 2 38 = 2 42 


computation steps. 

To mount a key-recovery attack, we start by guessing the 9 least significant 
layers of the initial state (36 bits in total), in order to predict [x]| for all t. This 
layer is also the least significant layer of the registers yi, and it turns out that it 
is also used in one of the "best" linear approximations : [S 1 ]^ © 

Therefore, we can eliminate one term in this approximation which increases 
the bias from 2 -19 to 2 -15 . Once we found the correct guess for these 36 state 
bits, it is straightforward to continue the attack, like we did for TSC-1 and TSC- 
2. The first step is clearly the most expensive, because we must guess 36 bits at 
the same time. So, the time complexity is 

T = 2 36 x (2 15 ) 2 = 2 66 

computation steps. The data complexity of this attack is only : 

M = 16 x 2 30 = 2 34 


output words. 

These two attacks show that the stream cipher TSC-3 does not reach the 
expected security level. 
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8 Criteria for Future Design 

First, we can notice that the 3 separate steps in our linear cryptanalysis frame- 
work are always possible, to some extent. 

— The periodicity of the least significant layers in multi-word T-functions is 
always small, by construction. The periodicity of the i-th layer is always 2 rnl 
at most for a state of m words. Therefore the following linear relation always 
holds with probability 1 : 


N!®Wi +2mi = o 

Other approximations can exist depending on the nature of the T-function, 
as illustrated in the case of the TSC family. 

— For any choice of the output function, there exist linear approximations 
between input and output bits. Unless the function is very complex (but it 
is generally not the case, because the output function needs to be fast), it is 
likely that approximations with good probability can even be found. 

— If the approximations of step 1 and step 2 can be combined, it is generally 
feasible to exploit these biased relations into a key-recovery attack. 

Therefore the difficulty does not lie in finding linear approximations or exploit- 
ing them, but on combining all approximations to describe the complete cipher. 
This is something we did not manage to do for Klimov and Shamir’s proposal for 
instance [16]. It is likely that T-function will receive a lot of attention in the fu- 
ture for stream cipher design. To prevent the application of linear cryptanalysis, 
we suggest to use several safeguards. 

— Never use the least significant half of the registers in the output function, 
because of the small periodicity (this countermeasure was already applied 
by Klimov and Shamir in several proposals, and TSC-3 has also taken a step 
in this direction compared to its two predecessors). 

— Use rotations in the output function in order to combine the bits from all 
registers. The output function of TSC-1 or TSC-3 is probably too simple, 
which makes the analysis easier. 

— Try to avoid simple linear approximations for the T-functions over several 
consecutive steps. For the S-box based T-functions proposed by Hong et al., 
it is an open problem to say if this is possible. It seems that the current 
proposals do not provide enough diffusion, but maybe for an appropriate 
instantiation, the existence of good linear approximations may be avoided. 
This is an interesting topic for future research. 

— Try to take advantage of the "complex" operations which are available on 
processors. For instance, we believe it is a good idea to use the integer mul- 
tiplication, when possible, even in the output function. 

All these countermeasures may have a negative impact on the encryption speed, 
but this must be put into the balance with the increased level of security. 
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9 Conclusion and Comments 

In this paper, we give a general framework of linear cryptanalysis for stream 
ciphers using a T-function. The idea consists in linearizing separately the T- 
function and the output function, and then connecting both approximations. 
We successfully applied it to the TSC family of stream ciphers but we believe it 
can have many applications against this emerging family. 

We managed to find a key recovery attack requiring 2 21A data with 2 25 ’ 4 time 
for TSC-1, and 2 44 1 data with 2 48 1 time for TSC-2. The attack against TSC-1 
has been implemented and requires about 4 minutes of analysis on an average 
PC. Thus, TSC-1 and TSC-2 are not secure enough for stand-alone use. 

An advanced version of our attack also allows to break TSC-3, one of the 
stream ciphers recently proposed for the ECRYPT project. This attack is very 
interesting because the designers took into account distinguishing attacks by 
Kiinzli et al. and added countermeasures. However, our general framework still 
allows to break the cipher. TSC-3 can be distinguished from random by process- 
ing 2 42 output words, and its secret key can be recovered with 2 66 computation 
steps and 2 34 known output words. 

For future designs of stream ciphers, we suggest to benefit from complex 
operations that allow T-functions. For instance, integer multiplication has good 
diffusion properties and prevents good linear approximations. Moreover, we rec- 
ommend never to use LSB’s of the state registers in the output function. 
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Appendix 


Table 7. TSC-1 for t/t + 3: Bit Flip Probabilities of the Registers and of the LSB of 
the General Carry 



LSB(H g ) 

0.5953 

0.4563 

0.4948 


0.5328 

0.5343 

0.5356 

0.5352 

0.5263 

0.5337 

0.5355 


0.5354 

0.5352 


0.4348 

0.4952 

0.5253 

0.5332 

0.5349 

0.5355 

0.5359 

0.5355 

0.5360 

0.5349 

0.5266 


0.5351 


0.5357 

0.5355 

0.5351 
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Abstract. In this paper we revisit a known but ignored weakness of 
the RC4 keystream generator, where secret state info leaks to the gen- 
erated keystream, and show that this leakage, also known as Jenkins’ 
correlation or the RC4 glimpse, can be used to attack RC4 in several 
modes. Our main result is a practical key recovery attack on RC4 when 
an IV modifier is concatenated to the beginning of a secret root key to 
generate a session key. As opposed to the WEP attack from [FMS01] the 
new attack is applicable even in the case where the first 256 bytes of the 
keystream are thrown and its complexity grows only linearly with the 
length of the key. In an exemplifying parameter setting the attack recov- 
ers a 16-byte key in 2 48 steps using 2 17 short keystreams generated from 
different chosen IVs. A second attacked mode is when the IV succeeds 
the secret root key. We mount a key recovery attack that recovers the 
secret root key by analyzing a single word from 2 22 keystreams generated 
from different IVs, improving the attack from [FMS01] on this mode. A 
third result is an attack on RC4 that is applicable when the attacker can 
inject faults to the execution of RC4. The attacker derives the internal 
state and the secret key by analyzing 2 14 faulted keystreams generated 
from this key. 

Keywords: RC4, Stream ciphers, Cryptanalysis, Fault analysis, Side- 
channel attacks, Related IV attacks, Related key attacks. 

1 Introduction 

RC4 is the most widely used stream cipher in software applications. Among 
numerous applications it is used to protect Internet traffic as part of the SSL 
and is integrated into Microsoft Windows. It was designed by Ron Rivest in 1987 
and kept as a trade secret until it leaked out in 1994. RC4 has a secret internal 
state which is a permutation of all the N = 2 n possible n bits words, associated 
with two indices in it, when in practical applications n = 8, and thus RC4 has 
a huge state of log2(2 8 \ x (2 8 ) 2 ) « 1700 bits. 

In this paper we revisit a known but previously ignored property of RC4, 
which we denote as the Glimpse property also known as Jenkins’ correlations. 
The glimpse is a leakage of information from RC4 secret state to the generated 
keystream, where every keystream word hints on a state word through the cor- 
relation S[j] = i — z which occurs with doubled probability (1/128 instead of 
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1/256), when i is a known index of RC4 state, 2 is the hinting keystream word 
and S[j] is the hinted entry of the secret internal state. 

The glimpse property was first mentioned in the web page of Jenkins ([Jen96]) 
and was first brought to formal literature in [MS01] in 2001. In Chapter 7 of 
[ManOl] Mantin analyzed the glimpse property, defined a generalized version 
of the correlation and discovered small biases in the keystream that stem from 
it. However, due to the fact that the glimpse discovers a negligible part of the 
internal state (one byte out of 1700) and the fact that it does so with biased 
but still small probability, that was the last trial for exploiting this property to 
attack RC4. 

In this paper we revisit the glimpse in RC4 and RC4-like stream ciphers, 
analyze its origin and discuss the ways a cryptanalyst can use it. We define a 
generalized version of the glimpse and discuss the availability of the generalized 
correlations in RC4 and RC4-like ciphers. 

Our main result is a practical key recovery attack on RC4 that works even 
when the common recommendation of throwing a 256-byte prefix of the 
keystream is adopted. The attack works in a mode of operation where an initial 
value (IV) is concatenated to the beginning of the root key and works in both 
the chosen IV and known IV models. The attack allows some data-time tradeoff 
that depends on the length of the root key. For example, some parameter setting 
for a 16-byte key allows the attacker to recover the key in 2 48 steps using 2 17 
data or with 2 32 steps using 2 20 data. In the known (random) IV model the data 
complexity of the attack requires an additional multiplicative factor of N = 256 
in order to have a sufficient number of “good” IVs. 

In the second part of the work we present the fork model where many in- 
stances of RC4 are available to the attacker with almost equal state and show 
that in this model an attacker can use the glimpse property to recover RC4 in- 
ternal state. We show two realizations of this model; the first is where the IV 
modifier is concatenated to a end of a secret root key in order to generate many 
independent RC4 keystreams from a single secret root key. In this mode we 
mount a chosen and known (random) IV attacks that recover the secret key by 
analyzing 2 22 keystreams that were generated from this key and different IVs. 
Another realization of this model is where the attacker injects faults into the 
execution of RC4 and distorts the generated keystream. In that case we mount 
a fault attack that uses 2 14 faulty keystreams to recover the internal state and 
the secret key. 

The rest of the paper is organized in the following way: In Sect. 2 we describe 
RC4 and previous cryptanalysis. In Sect. 3 we re-present the glimpse property 
and analyze its origin and availability. In Sect. 4 we describe key recovery attacks 
on RC4 in the preceding IV mode when the first 256 bytes are thrown. In Sect. 
5 we present the Fork model and use the glimpse property to mount an attack 
on RC4 in this model. In Sect. 6 we adjust the fork model attack to mount a key 
recovery attack on the succeeding IV mode. In Sect. 7 we adjust the fork model 
attack to mount an efficient fault attack on RC4. We summarize our work in 
Sect. 8. 
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KSA(K[0..T— 1]) 

PRGA (K) 

Initialization: 

Initialization: 

For i = 0 ... N - 1 

i = 0 


3 = 0 

3 = 0 

S = KSA(K) 

Scrambling: 

Generation loop: 

For i = 0 ... N - 1 

i = i+l 

j —3 + £[*] + K[i mod 4 

3=3 + S[i\ 

Su:ap(S i\. S\j\) 

Swap(S'[i], S\j]) 

Output z = S'[S'[i] + 


Fig. 1. The Key Scheduling Algorithm and the Pseudo- Random Generation Algorithm 

2 RC4 and Its Security 

2.1 Description of RC4 

RC4 consists of 2 parts (described in Fig. 1): A key scheduling algorithm KSA 
which turns a variable-size key (with typical size of 5-32 bytes) into an initial 
permutation S of {0, . . . , N — 1}, and an output generation part PRGA which 
uses this permutation to generate a pseudo-random keystream. 

The PRGA initializes two indices i and j to 0, and then loops over four 
simple operations which increment * as a counter, increment j pseudo randomly, 
exchange the two values of S pointed to by i and j, and output the value of S 
pointed to by 5[i] + S[j] 1 . 

2.2 Previous Analysis of RC4 

Cryptanalysis of RC4 is divided into two main parts, analysis of the initialization 
of RC4 and analysis of the keystream generation. The first part focuses on the 
KSA, the PRGA initialization and the integration of both, whereas the last 
focuses on the internal state and the round operation of the PRGA. 

Due to the simplicity of the initialization part and the major difference be- 
tween the typical key sizes and the effective size of RC4 state, this part was 
subject to extensive analysis and indeed numerous significant weaknesses were 
discovered of many types, including classes of weak keys ([Roo95]), patterns 
that appear twice and three times the expected probability (the second byte 
bias [MS01]), propagation of key patterns through the KSA to the initial per- 
mutation and through the PRGA initialization to the prefix of the stream (the 
invariance weakness [FMS01]), related key attacks ([GW00]), statistical biases 
in different prefixes of the generated stream ([FMS01] and [PP04]) and analy- 
sis of the biased distribution of RC4 initial permutation ([Mir02] and [ManOl]). 
However, the most devastating attack on RC4 was described in [FMS01] where 
RC4 was proved to have serious related-key vulnerabilities, exposing several im- 
plementations of RC4 to practical key recovery attacks, where the effected im- 
plementations are those that employ trivial key-IV combination methods such as 
1 Here and in the rest of the paper all the additions are carried out modulo N. 
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concatenation or exclusive-or. A subsequent work by Stubblefield et-al ([SIR01]) 
implemented the attack on the security protocols of the international standard 
for wireless LAN communication 802.116 (WEP) that used RC4 in the IV con- 
catenation mode, and these protocols were declared as broken. 

This attack had a great impact on the trust of cryptographers and secu- 
rity designers in RC4 and the common practice for using RC4 today includes 
hardening of the initialization process by omitting some prefix of the keystream, 
usually 256 bytes as recommended by RSA laboratories in [RSA01]. This hard- 
ening neutralizes most of the attacks and weaknesses that were discovered in 
RC4 initialization. However, this mode still has some weaknesses, including a 
biased distribution of the PRGA initial permutation ([Mir02]) and statistical 
biases in the first bytes that are emitted after the 256 th round ([PP04]). 

Statistical analysis of the keystream generation part gave rise to several weak- 
nesses and biased patterns in RC4 keystreams. Golic ([Gol97]) and Fluhrer and 
McGrew ([FM00]) designed distinguishers of RC4 streams from random streams 
that require 2 44 7 and 2 30 6 keystream words respectively. Subsequently Mantin 
improved these results in [Man05] and designed a 2 28 distinguisher. In his paper 
he also described several families of patterns denoted in [Man05] as recyclable 
patterns, which occur in RC4 keystreams with extremely high probability that 
is several times the probability in random streams, and described an algorithm 
that uses these patterns to predict in some rare cases bits and full bytes of RC4 
with success probabilities that are close to 1. 

Several other classes of RC4 partial states were defined and analyzed in 
[FM00], [MS01] and [PP03] as such that create unique patterns in the output 
stream and allow a viewer of the output stream to recover parts of the inter- 
nal state with more than trivial probability (chapter 2 of [ManOl] contains an 
overview of these classes). The cycles structure of RC4 state progression was 
also analyzed in [MT98] and [Fin94], where the last describes short cycles that 
are unreachable by RC4. [KM+98], [MT98] and [GolOO] describe state recovery 
attacks through backtracking with complexity that is less than the square root 
of an exhaustive search over all possible states. However, due to the hugeness of 
the state (1700 bits for n = 8), these attacks are completely impractical as they 
require more than 2 700 steps. Mantin in [Man05] describes an approach that 
under some circumstances can improve this attack significantly through using 
the recyclable patterns. 

Two variants of RC4 were recently proposed, both slightly more complex than 
the original RC4 and are claimed to be more secure than it. RC4A ([PP04]) was 
designed by Paul and Preneel and works with two RC4 tables. The generation 
stage of RC4A is slightly more efficient than RC4’s, but the initialization stage 
requires at least twice the effort of RC4 initialization. VMPC ([Zol04]) was de- 
signed by Zoltak and includes several changes to the KSA, the IV integration 
method, the PRGA initialization, the round operation and the output selection 
method. Maximov described in [Max05] distinguishers for both variants, requir- 
ing 2 54 data for VMPC and 2 58 data for RC4A and Tsunoo et-al subsequently 
described in [TS+05] a prefix distinguishers for VMPC and RC4A keystream 
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generators, requiring 2 23 keystream prefixes for RC4A and 2 24 keystream pre- 
fixes for VMPC. A regular distinguisher (as opposed to a prefix distinguisher) 
of RC4A was shown in [Man05] that needs a keystream of 2 29 keywords and is 
an adjusted variant of the RC4 distinguisher mentioned in this work. 

The trend of side-channel attacks had not skipped RC4. Hoch and Shamir 
made in [HS04] an exhaustive fault analysis of many stream ciphers including 
RC4 and found them all vulnerable to key recovery attack in this model. In par- 
ticular their attack on RC4 requires 2 16 faults. Biham et-al proposed in [BGN05] 
two other fault attacks on RC4; in the impossible fault attack is based on using 
faults to force the cipher to enter the impossible states known as Finney’s states 
([Fin94]). In the differential fault attack, the attacker compares many faulty 
keystreams to a non-faulty keystream and identifies the three permutation en- 
tries that are used in the first round, the second round, etc. Several variants 
and optimizations for this attack are described and the best configuration of the 
attack requires 2 10 faults and key resets. 

2.3 Notations 

In vast majority of RC4 implementations N = 256 and n = 8. In many cases we 
simplify expressions by using numbers instead of parameters. Whenever appro- 
priate, we mention this conversion. 

For a positive integer X we use the notation [X] to specify the domain 
of indices modulo X, i.e., [X] = {0, 1, . . . , X — 1}. We denote the domain of 
permutations of [X] as V[X], 

We use the notations i t ,jt and S t for the indices % and j and the permutation 
S after round t, where the rounds are indexed in accordance with i, i.e., i t = t. 

Thus the KSA has rounds 0, . . . , 255 and the PRGA has rounds 1,2, We use 

the same indexing for both the KSA permutations and the PRGA permutations 
and whenever there might be a confusion, we use the notations S^ KSA> and 
g(PRGA) respectively. 

The output function Z : V[X] x [X] x [X] — > [X] is defined on RC4 states as 
Z(S,i,j) d = <S'[S'[i] + <5[j]]. We denote output words with z and index them in 
the same manner as i and j, i.e., z t = Z(S t ,it,jt)- 
We denote the KSA key as K and its length as Ik- 

3 The Glimpse 

The glimpse property as was first introduced in [Jen96] is defined in Theorem 1. 
Theorem 1 (The Glimpse Main Theorem). Let i G [X], Then 

{ - Z(S,i,j)\ « 2/N (1) 

VjeMN] = j ~ Z(S,i,j )] * 2/N (2) 

In other words, when z is the output then 

JP[S\j] = i-z]^JP[S[i}=j-z]^2/N 
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The proof of Theorem 1 appears in the discussion of useful states in Sect. 2.3 of 
[ManOl], and we only bring the intuition behind one of them (the second stems 
from symmetry). In the case where i = .S' [I] + S[j], the correlation occurs with 
probability 1 since 


Z(S, i,j) = S[S[§ + s[j]] = S[i\ = i - S\ft (3) 

In the other case (i ^ 5[i] + S[j]), the correlation occurs with a probability of 
1/N and thus the overall probability is 

1/N • 1 + (1 — 1/./V) • 1/N ss 2/N (4) 

A generalized version of the glimpse was proved in Sect. 7 of [ManOl], where 
different relations between i and 2 hint on corresponding relations between £[*] 
and S'[j]. This generalization is given in Theorem 2. 

Theorem 2. Let f be a [IV] — » [N] function and let hf(x) d = f(x) + x. Suppose 
that hf is on-to-one in the domain [IV] and onto [IV]. Then for every i £ [IV], 

= mm = * 2/N (5) 

The original glimpse is a special case with the degenerated function f{x) d = 
i — z and hf(z) = i. The base condition i = hf(Z(S,i,j)) occurs always and 
thus the probability of the derived condition [S[j] = f{S[i\) is always 2/N. Thus 
many relations between the index i and the output word z imply corresponding 
relations between the permutation entries that are used. 

In Sect. A of the appendix we discuss the availability of the glimpse and show 
that it exists in many other output selection functions. Notice that since the 
index j is secret, the output hints on a value in an unknown location. However, 
the value in this location was in a known location i immediately before this 
round and furthermore, this is the same value that was used to update j in this 
round. These facts underline the analysis in the rest of the paper. 

4 Attacking the Truncated RC4 

One of the most popular IV combination methods for RC4 and other stream 
ciphers is a concatenation of the IV to the root key in order to obtain a one-time 
session key. This mode of operation was attacked by Fluhrer et-al in [FMS01] 
both in the case where the IV is concatenated to the end of the root key (we 
denote this mode as the succeeding IV mode) and in the case where the IV 
is concatenated to the beginning of the root key (we denote this mode as the 
preceding IV mode). Their attack on the preceding IV mode was found applicable 
to the RC4 implementation in WEP and it is sometimes referred to as the 
WEP attack or the FMS attack. The attack recovers the bytes of the root key 
one at a time, where in the iterative step IVs are selected that cause leakage 
of information from the target keyword into the first word of the generated 
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keystream 2 . Since the publication of this attack in 2001 the common practice in 
implementations of RC4 is to throw a prefix of 256 bytes from the keystream and 
thus prevent access of the attacker to the first output word and foil the attack. 
We denote this usage mode of RC4 as the truncated RC4- 

In this section we present a new attack on the truncated RC4. The attack 
resembles the FMS attack in many aspects, where instead of using the leakage 
of the keyword to the first output word, we use the glimpse property to redirect 
the leakage to the 257 th keystream word and thus overcome the omission of the 
first keystream words. 

The rest of this section is organized as follows. We first describe the WEP 
attack and the way in which particular keywords leak to the first keystream 
word. Afterwards we present a new leakage scenario where keyword info leaks to 
the 257 th keystream word. We describe how the attack uses this leakage scenario 
to recover the root key and end with complexity analysis and a comparison to 
the WEP attack. 

4.1 The WEP Attack 

We denote the root key as RK and the session key that is combined from RK and 
an IV as SK. We denote the length of these keys by RK and \SK\ respectively 
and the length of the IV by Iiy and thus .S' A' = RK + I IV . 

The attack recovers the keywords one at a time. The iterative step of the 
attack assumes knowledge of some prefix of the RC4 keywords, and uses the 
first word of each of several keystreams to derive the next keyword (which we 
denote below as the target keyword). The attack starts with the known IV as 
a basis, and repeatedly applies the iterative step in order to recover all the 
keywords in the root key. The keystreams from which first words are taken to 
recover the target keyword, are carefully selected according to the IV that was 
used to generate them. 

The Iterative Step. The iterative step for the ( x+l) th keyword SK[x] (which 
is RK[x — liv}) as the target keyword simulates the first x steps of the KSA 
using the x known keywords in order to recover the permutation after x rounds 
S x - 1 . The KSA uses the next keyword, which is the target keyword, to cal- 
culate the value of j in the next step j x and thus this keyword can be easily 
derived from j x . Since the swap in round x occurs in locations i x = x and j x , 
S x [x] = S x -i[j x ] and knowing S x - 1 , S x [x] leads to j x and further on to the 
target keyword. 

The first output value is <S'[S'[1] + .S'[,S'[1]]] and thus only three permutation 
entries are used for this calculation; the ones in locations 1, Sfl] and ,S'[1] + 
£[S[1]]. When these locations are lower than or equal to x after round x they 
are guaranteed not to be visited by i during the subsequent N — x rounds and 

2 The attack is therefore a Known Plaintext Attack (KPA). Stubblefield et-al subse- 
quently showed that the first plaintext byte in typical WEP applications is a constant 
header and thus the KPA model is realistic. 
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with high probability of more than e~ 3 ss 5% (using Lemma 1, which is proved in 
Appendix B) no to be visited by the pseudo-random index j during these rounds. 
In that case, the first keystream word can be deduced with high probability 
from the values that are at these locations in the permutation S x . Furthermore, 
when in addition S'fl] + S'[<S'[1]] = x (in [FMS01] it was denoted as the resolved 
condition) the first keystream word z\ is exactly S x [x] , from which the target 
keyword can be derived. 

Formally, when 1, 5[1] < x and S[l] + S[5[l]] = x, then with probability of 
at least 5% 

SK[x]= -&,_![*] 

= - j*- r - S*-rM W ' P = /e3 

= S-l^-j^-S^ix] ( 6 ) 

Thus when IVs are selected that cause S x -i to satisfy the resolved condition, 
the above calculation points to the correct target keyword with probability of 
about 5%. Using this observation Fluhrer et-al recovered the target keyword 
through employing a simple voting mechanism where every first keystream word 
gives a vote to a keyword candidate. 

Analysis of the WEP Attack. In [FMS01] it was estimated that in order 
to mount the attack for a particular keyword the attacker needs about 60 votes 
from which an average number of three votes go to the correct target keyword. 
In order to guarantee the 5% probability, these votes must come from situations 
where the resolved condition was satisfied and thus in the chosen IV model the 
number of IVs that are needed is 60 per keyword. 

In the known IV model the situation is more complicated where the attacker 
must wait for IVs that lead to the resolved condition, which under reasonable 
randomness assumptions have a fraction of jk and thus the (x + l) th keyword 
requires 60 N 2 /x IVs. Since the data can be reused for different iterative steps 
the main complexity parameter for the attack is the maximal number of IVs for 
a keyword, which is 60 • V 2 /iiv- A somewhat surprising result is that the attack 
works better when longer IVs are used. 


4.2 The New Attack 

We present a similar leakage from the target keyword in two stages, to s[ PRGA> [ 1 ] 
and through it to the 257 th keystream word 2257 . 

We first describe the way reaches location 1 of S. Suppose that after 
round x — 1 of the KSA we have S' x _i[l] = x. In the next round some arbitrary 
value Y, pointed to by j, is swapped into location x. This Y leads to the target 
keyword in the same manner as in the WEP attack (known S x - 1 , Y leads to j x , 
j x leads to SK[x]). Suppose that during the remaining N — x KSA rounds the 
values x and Y remain at locations 1 and x. The probability of this event is at 
least 1/e 2 (using Lemma 1). In the first round of the PRGA round we get 
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h = 1 (7) 

ji = jo + S ( 0 PRGA) [1] = Si KSA ) [1] = x (8) 

S (PRGA) gj = giPRGA) = s (KSA ) = y (9) 

Thus with probability 1/e 2 target keyword info leaks into S'i PRGA ^[l]. In the 
next 255 rounds of the PRGA i traverses locations 2, , 255,0 and with prob- 
ability 1/e (again we use Lemma 1) the index j also skips location 1 and then 
S^ RGJV> [1] = s[ PRGA> [1] = Y. However, the glimpse property causes informa- 
tion on this particular byte to leak to the next keystream word and thus we 
complete a leakage chain from the target keyword to 2257 - 

Combining these observations with the glimpse probabilities we get (proba- 
bilities are presented over the equality sign) 


*257 - *257 ^ S%*° A \ 1] ^ Sr* GA) [l] ^ Y (10) 

Thus we reach a probability of 2 e~ 3 /N for the complete scenario to occur and 
in this case the correct target keyword is 

SK[x] = S~\[i 2h7 - 2257] - jx-1 - Sx-rM (11) 


Notice that when the chain breaks, there is still a probability of 1/N to have a 
lucky guess and thus the overall probability for a successful guess is 


IP[ STf [ 2 ;] = S x \[i 2 m — * 257 ] - 


i-Sx-rM 


(12) 


Simulations we carried out show that this analysis is somewhat optimistic and 
that the actual probability for a correct guess (given that the IV conditions are 
satisfied) is 1.075 • 1/N. 


4.3 Complexity Analysis 

Next we compare the attack parameters and probabilities to those of the WEP 
attack. The probability of having a “good” IV increases from in the WEP 
attack to 1/N (need only S x . i[l] = x). However, the advantage in the voting 
process significantly decreases from 5% to 1.075/256. Thus the voting in this 
attack is much harder than in the WEP attack, even though a larger fraction of 
the IVs are “good” and this voting requires almost one million “good” IVs (see 
Fig. 2) for recovering the target keyword with a probability that is close to 1. 

However, a smarter key recovery algorithm can tolerate some errors in the guess- 
ing. The algorithm can guess C possible values for every keyword and check all the 



404 I. Mantin 



Fig. 2. The number of IVs that are required for different success probabilities (for the 
attack on the Truncated RC4). The different graphs are for different selections of the 
branching factor G. 


possible C ( - K branches, where a typical value for C is 4-5. Typical RC4 keys are 16 
bytes or below, which makes the number of possibilities checked by the algorithm 
no more than 5 16 « 2 37 . This attack can be further optimized by using a smart 
branching strategy that instead of using a fixed branching factor, selects the num- 
ber of branches according to the result of the voting, e.g., avoiding branching when 
a single value sticks out clearly as the correct keyword. However, in this extended 
abstract we limit the discussion to the simple case of a fixed branching factor. 

In Fig. 2 we show the number of samples of “good” IVs that are required for 
different success probabilities and different selections of the branching factor C. 
For example, for C = 8 the attack requires a practical amount of 2 17 “good” IVs 
in order to get a success probability of 80% for recovery of every keyword. The 
selection of C depends heavily on the key length, where large C’s can be used 
only when the key is short. For example, for a 16-byte key, using (7 = 8 implies a 
time complexity of 8 16 = 2 48 and using (7 = 4 the time complexity drops to 2 32 . 

In the known (random) IV model the data complexity increases by a factor 
of N, which is the expected number of IVs until a “good” one is found. With 
the above parameter setting the data complexity for a known IV attack grows 
to 2 25 whereas the time complexity remains the same 2 48 . 

5 The Fork Model 

In this section we discuss a situation where many identical instances of RC4 
diverge at a certain point, i.e., at a certain point they have the same state 
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Fig. 3. The number of IVs that are required for different success probabilities (for the 
attack on RC4 in the fork model) 


(permutation and indices) and afterwards some small change to the state occurs, 
causing each of the instances to evolve differently. A small change in this context 
may be a change in j and possibly change to a small number of permutation 
entries. We show that in this model, given a sufficient number of instances the 
permutation at the divergence point can be recovered. 

The attack goes iteratively over the permutation entries and recovers one 
permutation value at a time. Let S be the permutation in the divergence point 
and let t be an index for which the attacker wants to reveal S[t] = x. The 
attacker waits until the round where the index i reaches location t and looks at 
the keystream word that was emitted at that point. If the attacker is lucky, the 
value x remains in location t until that round (we denote this event as A) and due 
to the glimpse property the emitted value will be biased towards i — S'fj] = i — x 
(we denote the event where z = i — x by B). Using Lemma 1 (which is proved 
in Appendix B) we estimate the probability of A with p A = 1 /e and the glimpse 
property guarantees that the event B occurs with probability 2/N. Assuming 
independence of the events and uniform distribution of the output when both 
event do not occur (when one event does not occur the probability if 0) we get 

F [ x = i-z) = IP[A B] + P [-.A, -<B\ • 1 /N = 

= 2/N-p A + (l-2/N) • (1 -p A ) ■ 1/CJV- 1) « 
n2/N-p A + (l-p A )-l/N = 

= 1/N-(1+ P a)^ 

* 1/N ■ (1 + 1/e) 


(13) 
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This probability was verified through simulations and indeed the correct x value 
has a significant advantage on other guesses. Through using a voting mechanism 
where votes are given to values i — z, the correct value of x is expected to notice- 
ably stick out. In Fig. 3 we analyze the number of iterations that are required for 
recovery of x under these circumstances. After 20,000 iterations, every permu- 
tation entry is recovered with success probability of 80%. The iterative step is 
repeated for each of the permutation entries and under reasonable assumptions 
of independency the same data can be reused for each of the locations. 

Notice that in the case where 80% of the guesses are correct, there are still 
50 permutation entries that are guessed incorrectly. However, the attacker can 
avoid guesses that have only small advantage and use only those with high 
level of confidence. As was shown in [KM+98] having a significant part of the 
permutation provides the critical mass for completion of the state recovery task. 

6 Attacking the Succeeding IV Mode 

While presenting a practical key recovery attack for the preceding IV mode, 
Fluhrer et-al only showed is [FMS01] several sets of weak keys for the succeeding 
IV mode. 

However, this mode of operation “almost” realizes the fork model, where the 
first rounds of the KSA use an identical part of the key (the root key) whereas 
the following rounds use different part of the key (IVs). The “almost” is due to 
the fact that the KSA does not output words and thus the first leakage occurs 
only in the beginning of the PRGA, i.e., after N — i K rounds that ruin N — £ K 
entries from the divergence permutation. 

However, this hurdle can be overcome through appropriate adjustments. In 
order to reveal a single permutation entry, the attacker can direct the leakage of 
this value to a fixed location £k, which leaks through the Aft keystream word. 

In every step of the attack, the attacker fixes IV [0] and uses varying values 
for the rest of the IV. After Ik rounds of using words of the root key, The index 
j in round £k depends on the “keyword” IV [ 0] in an additive manner and thus 
every value IV [ 0] implies a different je K , a different value in location £ K after 
round £k and eventually a leakage of a different permutation entry to the £*$ 
keystream word. 

Thus for every value of IV [0] a new value leaks to the keystream. Notice 
that the keywords are used in an additive manner and thus any increase of 
/V[0] causes a similar increase in j at the corresponding round and eventually 
the attacker learns the permutation at the divergence point, but with a fixed 
shift that depends on the unknown jt K - 1 , and needs to try all possible 256 
shifts in order to recover the correct permutation. Notice that je K -i is unknown 
at this stage and thus every step of the attack (with a fixed 7V[0]) exposes a 
permutation entry from an unknown location. Thus the attacker needs to try all 
possible values for je K -i in order to complete the recovery of the permutation. 

Since every stage of the attack needs IVs with different JV[0], data cannot 
be reused for the different stages and a multiplicative factor of N should be 
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considered when evaluating the amount of data that is needed for the attack, 
i.e., instead of recovering the permutation with 2 14 keystreams and IVs the 
attack needs 2 22 keystreams and IVs. The number of steps is proportional to the 
amount of IVs. 

Notice that the attack is somewhat wasty as it always works with one location 
out of the Ik locations that leak information to the keystream. This attack can 
thus be further optimized for at least partial reuse of the data. The optimized 
attack uses only N/Ik values for IV [ 0] that have additive differences of Ik 
between them, and each of these values is reused for recovering Ik permutation 
entries. This optimization improves the data complexity of the attack by a factor 
of Ik and thus for a 16-byte key, the data complexity of the attack drops to 2 20 . 
However, this optimization works only in the chosen IV model. 

The last step of the attack is a recovery of the root key from the permutation. An 
efficient implementation of this stage is described in the appendix of [FMS01]. 

7 Fault Attack on RC4 

In this section we describe a fault attack on RC4 that is based on realization of 
the fork model. 


7.1 The Attack Model 

We assume that the attacker can apply several types of faults to the crypto- 
graphic device; In a data fault the attacker causes some bit flipping changes to 
RAM or internal registers. In a flow Fault the attacker causes small changes to 
the flow of the executed program, e.g., skipping an instruction, changing the 
address of accessed memory, etc. 

Following [HS04] we assume that the attacker has only limited control over 
the fault, that he can select the fault area but not a particular bit and that he 
has no knowledge on which fault eventually occurred and when exactly had it 
happened. As usually assumed in fault analysis, we assume that the attacker 
can reset the system with the same key, i.e., cause the system to get back to 
the original configuration, cancelling the previously made faults and reuse the 
same key. This model is somewhat conservative, but more realistic than a model 
where the attacker is more powerful. 

7.2 The Attack 

The objective of the attack is to recover the initial permutation of RC4 So, which 
is the output of the KSA and the input of the PRGA. Other permutations can be 
recovered through similar approach. The attacker injects to the PRGA process 
faults that change the progression of j, where in order to do that, the attacker 
needs to inject either a fault to j or a fault to one of the entries of S that are 
located closely after the index i. 
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The identical part of the instances is the execution until the fault and the 
divergence is in the fault. By reusing the analysis from Sect. 5 we conclude that 
the number of faults that are required for recovery of the state that precede the 
fault is 2 14 . 

8 Summary 

In this paper we presented several new attacks of RC4, all relying on a combi- 
nation of a leakage of state information to the keystream with a slow evolution 
of the state, both of which are inherent properties of RC4 fundamental mech- 
anisms. Since the leakage is from a “moving target” part of the state we could 
not exploit it to attack the keystream generation of RC4 and the applicability 
of the attack is limited to particular modes of operation. 

We proved the common belief that throwing 256 words removes all the vul- 
nerabilities of RC4 initialization to be faulty by showing that the preceding IV 
mode remains weak even in this case. Despite of the fact that the attack is ap- 
plicable only for a particular key-IV combination method, we believe that similar 
attacks on equivalent key-IV combination methods such as exclusive-or and suc- 
ceeding IV, are not out of reach. RC4 KSA is intolerably sensitive to related key 
analysis and minimal control is sufficient for an attacker to direct this leakage 
to desired places. 

RSA Security recommends in [RSA01] on employing at least one of omitting 
256 bytes and employing stronger key-IV combination method. From our findings 
this recommendation turns to be insufficient as it “allows” modes of operation 
that are completely insecure. Our recommendation is to avoid using RC4 without 
employing both strengthening methods or at least to throw a longer prefix of 
the keystream as proposed by Mironov in [Mir02] . 

In addition, we presented attacks on the succeeding IV mode than are stronger 
than previously known ones and a new fault attack that is comparable to known 
ones in its complexity. 
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A Availability of the Glimpse 

The existence of the glimpse stems from the usage of permutation access of depth 
two when selecting the output value. In Conjecture 1 we generalize the glimpse 
in a different direction than Theorem 2 and claim that the glimpse will exist for 
almost any output selection function of depth two. 

We begin with defining a general output selection function. Let /, g : [V] — > 
[N] be invertible functions and denote the corresponding inverse functions by F 
and G respectively. Let h : [V] x [N] — > [N] be a 2-parameter function that is 
invertible in each of its parameters, and let Hi and H 2 be the inverse functions 
of h where 


\/X,Y e [ N ], Hi(X,h{X,Y)) =Y,H 2 (h(X,Y),Y) = X 
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Conjecture 1 (The Generalized Glimpse Conjecture). 

Let Z(S,i,j) d = flS[h(S[g(ij\, 5p]}]) be an output selection function of an 
RC4-like keystream generator. Then, 

F ie*W!X*nx]l S \3\ = H t(F(Z(S,i,j)),g(i))\ « 2/N (14) 

We will give the intuition behind Conjecture 1. In order to simplify the expres- 
sions we define Z' d = F o Z and i' d = g(i) and thus given that Z'(S,i,j) d = 
S[j])] we need to show that 

F i 6 «[JV],se K P[iv][5b1 = H x (Z'{S,%$),i')\ A 2/N (15) 

We define two functions over the domain of RC4 states and two corresponding 
events. The internal dependency function IDF(S, i',j) is defined as h(S[i'], S’[j]) 
and the event where i 1 = IDF(S, i',j ) is denoted as A IDF . The external depen- 
dency function EDF(S,i' ,j) is defined as Hi (Z'(S, i',j), i') and the event where 
S[j] = EDF(S. i! ,j) is denoted as A EDF . Our arguments follow the original 
proof of the glimpse. 

We observe two cases. In the first case Aidf occurs. In that case A E df 
occurs with probability 1 in the same manner as the original glimpse 

z 1 = Z'(S,i,j) = SlhiSnStf®. = m (16) 

i' = h(S\i'],S\j}) = h(z',S[j}) (17) 

m = H 1 (z',i') = H 1 (F(Z(S,i,j)),g(i)) (18) 

In the other case, IDF(S,i,j ) is almost random and with the uncertainty in 
S and j causes a distribution that is very close to uniform for z' . Thus the 
probability of A EDF is 1/N ■ 1 + (1 — 1/7V) • 1/N 2/N. 

B RC4 State Evolution 

RC4 permutation evolves fairly rapidly with the generation, where on every 
round two values change locations. The index i progresses in a predictive manner 
traversing the permutation sequentially and thus guarantees that no location 
or value is left untouched during a sequence of N rounds (it is possible that 
a value is swapped with itself). The index j adds pseudo-randomness to the 
state progression by jumping between the permutation entries in a seemingly 
unpredicted manner. However, when concentrating on a sequence that is shorter 
than N rounds, there are permutation entries which are guaranteed not to be 
visited by the index i, and these entries have relatively high probability not to 
be touched also by j during this sequence of rounds. 

We formalize this situation in Lemma 1 and quote its proof from [Man05]. 

Lemma 1 (The Evolution Lemma). Let 1 be a set of r permutation loca- 
tions. Suppose that RCj is in a state where the predictable course of the index i 
in the next k rounds avoids visiting I. Then the probability of the permutation 
S k rounds later to have the values in T unchanged is approximately e~ kr / N . 
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Proof. The index i does not reach any of the indices in 1. The index j progresses 
in a pseudo-random manner and reaches each of the r positions in each of the k 
rounds with probability 1 /N. Failing in these kr trials results with having the set 
X untouched and the probability of this event to occur is (1 — 1/N) kr rj e~ kr ^ N . 

□ 

In the special case where r = 1 and k < N we have a bound of 1/e for the 
probability of a single value, located more than k entries ahead of i to remain 
in place during the following k rounds. 
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Abstract. Stream cipher Hiji-Bij-Bij (HBB) was proposed by Sarkar at 
Indocrypt’03. This cipher uses cellular automata (CA). The algorithm 
has two modes: a basic mode (B) and a self-synchronizing mode (SS). 

This article presents the first attack on B mode of HBB using 128 bit 
secret key. This is a known-pliantext guess-then-determine attack. The 
main step in the attack guesses 512 bits of unknown out of the 640 bits 
of the initial internal state. The guesses are done sequentially and the 
attack uses a breadth-first-search-type algorithm so that the time com- 
plexity is 2 S0 . 

Keywords: cryptanalysis, known-plaintext attack, HBB, stream cipher. 

1 Introduction 

A typical stream cipher generates a long sequence of pseudo-random numbers, 
known as key-streams, from a given seed (a secret key). The plaintext message 
M is then XORed with the key stream to generate the ciphertext C. Thus, a 
steam cipher handles each bit of plaintext separately. 

In this article, we will concentrate on the stream cipher HBB, proposed by 
Sarkar in Indocrypt’03 [1]. This is the first stream cipher replacing LFSR by 
CA. This is a classical masking-type stream cipher, i.e. it evolves a linear and 
a non-linear generator and XORs selected portions of these to produce the key 
stream. Thus, the design methodology is classical and there are other ciphers like 
SNOW which use the same principle. The non-linear part has some nice provable 
properties. These are aimed at resisting correlation and low diffusion attacks. 
The linear portion ensures a sequence of vectors with long period. Again, there 
are ciphers like SNOW [4] and TURING [5] which use such sequence generators. 
So, weakness in HBB is possibly in the way CA is used. The design has certain 
flaws that are to be considered while suggesting new ciphers involving CA. Ours 
is a guess-then-determine known-plaintext attack. The FSE’05 attack [2] was an 
algebraic attack. The present attack exploits structural weaknesses in greater 
depth than previously done. Some salient features of our attack are as follows: 
(1) Exploits weakness in the use of CA. (2) Exploits the linearity in the mixing 
of the linear part to the non-linear part. (3) Proves an interesting property of the 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 412-424, 2005. 
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nonlinear update function: Fixing the first 32 bits of the output of the nonlinear 
update function ensures that there are 2 24 choices for each of the four 32-bit 
blocks of the input. While by itself this is not a weakness, this is combined with 
the first two properties to get an efficient attack. 

The HBB cipher has two modes: basic mode (B) and self-synchronizing mode 
(SS). So far two articles have been found in the literature dealing with crypt- 
analysis of HBB. (Other articles on this topic are not known to the author.) Joux 
and Muller [2] have shown that the SS mode of HBB is not secured. They have 
also attacked the B mode. Their attack requires more than 2 50 bits of known 
plaintext and more than 2 142 time. Vlastimil Klima [3] has presented another 
attack, marginally faster than the one in [2], on B mode. His attack requires 
34 blocks of known plaintext, i.e. 34 x 2 7 bits of known plaintext and its time 
complexity is 2 140 . Thus, so far the B mode of HBB, using 128-bit secret key, 
seemed secured. The present work attacks only the B mode of HBB. This attack 
requires 225 blocks of consecutive plaintext to be known. It guesses 512 bits 
of internal state in a sequential manner, so that the time complexity does not 
exceed 2 50 . Thus, the present attack is a near-practical one and shows that the 
B mode of HBB using even 128 bit secret key is also not secured. 

The rest of the article is organized as follows: Section 2 describes one round 
of B mode of HBB. (Understanding of cellular automata (CA) is not required 
to follow this attack. Hence CA is not discussed.) Section 3 describes our first 
attack having time complexity 2 61 for finding the initial internal state of 640 
bits. Next, in Section 4, we improve this attack to get the unknown 640 bits of 
initial internal state in 2 50 time. Finally we present our conclusion in Section 5, 
followed by references. 

One reviewer has pointed out that some of the ideas used in the attack has 
earlier occurred in [7,8,9]. 

2 One Round of HBB 

We start by describing one round of B mode of HBB encryption. We use two 
256-bit constants given by: 

TZ 0 = ( 80//a/46977969e971553665996e6626 463372952308c787684c7cce36d501e6 )i 6 

Tli = ( ddl8c626153d/31ac98e86cl910/ee24 2942d5164201e63dcldla85/57689196 )i 6 

And, a 128-bit string x will also be written as a 4 x 32 matrix 

M 


where, x = a?o ||^i ||^ 2 ||a ?3 and each x* is a 32-bit string. 

One Round of HBB Encryption One round of HBB encryption, i.e. encryp- 
tion of i-tli message block M , , i > 0, is described as follows: 
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Algorithm 1. HBB Encrypt 

Input: Plaintext Mi 
Output: Ciphertext C l 

Internal State at the beginning of encryption: 

a) Non-linear core : iVj_ i = iVj_i,o|| . . . ||iVj_i,3 

b) Linear core : Lj_i = Lj_ i,o|| • • • \\Li- 1,15 
/* each substring is 32-bit long */ 

Update internal state and compute key stream LQ and ciphertext C\ 

1. Update Linear Core /* L t = NextState(Lj_i) */ 

1.1 LXi - 1 = L^poll ■ ■ ■ ||Lj_i ; 7 ; LUi-! = Li_ lj8 || . . . ||%, %15 ; 

1.2 LXi = (LXi 1 « 1) © {LXi 1 > 1) © (LX,- , A ft 0 ) ; 

1.3 LUi = (LFi-! « 1) © ( /. V ; 1 > 1) © (LYi i A fti) ; 

1.4 Li = LXi\\LYi ; 

2. Half-update Non-Linear Core /* NZ t = updateNLC ( A r , : _ 1 j */ 

2.1 NVi = NLSub(jVj_i) ;/* replace each byte by its image */ 

2.2 NWi = Delta(iVUi) ; 

/* replace each word by XOR of other three words */ 

2.3 NXi = RotateLeft(AWi) ; /* rotate j-th word by 8 * j + 4 bits */ 

2.4 NYi = FastTranspose(iVXTj) ; 

/* replace each 4x4 sub-matrix by its transpose */ 

2.5 NZi = NLSub(iVli) ; 

3. Compute Key-Stream K t 

Kifi = A T Zi t Q © Lift', Ki, 1 = X Zi \ © Li j\ 

Ki t 2 = NZi t 2 © L i>8 ; Ki ^ = N Zi^ © Ljps; 

4. Compute N* /* updated non-linear core */ 

ATpo = NZifi © Lp 3; JV.,i = NZi t i © Li, 4 ; 

JVi, 2 = NZi t 2 © Li, 11; lVj,3 = NZifl © Lj, 12; 

5. Compute Ciphertext (7i 
Ci = Mi © i f , : 

Internal State at the end of encryption: iVj and Lj 


3 A Simple Attack on HBB 

Ours is a known-plaintext attack and we will assume that the key streams Ki 
for 0 < i < 224 are known. (This is equivalent to knowing ( Mi,Ci ) pair for 
0 < i < 224.) From the knowledge of these key streams, using a guess-then- 
determine attack, we will determine the entire internal state (L 0 , N 0 ) (related 
to encryption of first message block M 0 ). Sketch of our attack is given below. 

Algorithm 2: Sketch of Attack against HBB 

Assumption: Key streams Ki, for 0 < * < 224, are known. 

1. Determine LX 0 /* unknown 256 bits */ 

2. Determine LYq /* unknown 256 bits */ 

3. Compute No = Kq © (Lo,o || Lo,7 1| Lo, 8 1| Lo,is) © (Lo,3||Lo,4||Lo,n||Lo,i2) 

4. Proceed forward and break the rest of the cipher. 
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So, the complexity of attack is really the complexity of finding the unknown 
512 bits of the linear core Lq. The method for determining LX o and LYq will 
be similar and will have same time complexities. So, we will only discuss attack 
against LX o. Time complexity of our attack will be twice the time complexity of 
the attack against LX o. Idea behind the attack against LXq is presented below. 

Let us write LX o = £\\bobi . . . 6223 where £ is a 32 -bit string and each b t is a 
bit. We first note that, knowing £\\bo . . . b t ~i we can compute Wo for 0 < i < t 
uniquely. (See Algorithm Al, Appendix A for pseudocode.) Since W.o are known 
for 0 < i < t, we also know NZ ^ 0 = Wo © W,o for 0 < i < t. But if NZ t _o is 
fixed, then 0 can have only 2 24 possible choices. (This result is proved in 
Section 3 . 1 .) For every fixed i, the set of all such possible choices of Wo will be 
denoted by A/}, o- For every i = 0, . . .t — 1 , from NZ u0 (unique) and Wo (one 
of 2 24 choices) we get L i;i = NZ lfi ® W,o ( 2 24 choices). The set of all possible 
(2 24 ) choices of W,3 will be denoted by Tj, 3 . Thus, we have, 

Ci ,3 = {NZifi&N ifl : Woe Wo} 

Next we consider the update function of the linear core. Given a choice x of 
W 3, we know the middle 30 bits of corresponding choice y of Lj+1,3. We will 
write x => y to denote this. So, given To, 3, an x i is a valid, choice of W,3 only if 
for some xo € To, 3 we get xq ^ x-\ . But T1.3 is already obtained and we know 
that xi £ Tq 3 is not a valid choice of L13. Hence, given To, 3 and T1.3, the valid 
choices of Li >3 are given by the set 

T^ 3 |To, 3 = {aq e Ci, 3 : xo => xi for some xq e To, 3} 

The super-script “V” stands for “valid”. Similarly, given To, 3, Ti,3 and C2.3, the 
valid choices of £2,3 will be given by the set 

£5(3 IA), 3 = { x 2 € T 2 , 3 : xo => xi => x 2 for some x 0 & T 0 , 3, xi G Ti, 3 } 

= {2:2 G T2,3 : x\ => X2 for some xi £ T^ 3 |To,3} 

We now define the following sets 

Wo = {x © NZi , 0 : x e WsITo.s} 

As a convention, we take Wyo = Mo,o- Proceeding this way we can find A^o f° r 
0 < i < t — 1 and for a wrong choice of £\\bo . . . 6223, the set W 2 ^ 3 , 0 will be empty. 
This constitutes an attack against LXq. The idea is summarized below. 

Algorithm 3 : Idea behind first attack against LXq 


Guess T||6o • • • h- 
Compute 

To,o Wo • 

■ U- 1, 

L t , 0 (unique choice) 

Compute 

AG?o,o NZ li0 ■ 

■ NZ t _ 

,0 NZ t ,o (unique choice) 

Compute 

A/"o,o A/1,0 • 

.. a / w,, 

3 A/},o (2 24 choices) 

Compute 

ACo Ko •• 

• AA t ^ 1{ 

D (shrinking sets) 
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Certain finer points are to be noted. First, if at any stage Af^o = <f> then 
A 2^3,0 = <P- So, we need not compute A/223 10 to declare a choice £\\bo . . . 6223 of 
LX 0 to be wrong, and we can guess these bits in LX 0 sequentially. Second, we 
can compute Af^o without computing |£o,3 and without explicitly computing 
even A/i,o- (This computation and reason for doing this are explained in section 
3.2.) Third point is a more important one. Suppose t in LX 0 is fixed and suppose 
for all possible choices of 60 . . . b t ~ 1, we have computed the sets Af^o- These sets 
can be kept in a binary tree T. Root of T will be L For every other non-leaf node 
y e T, its left (right) child will be the string y||0 (y||l). The node represented 
by x in T, with |x| =32 + t bits, will contain the set AfYi,o f° r x = ^||&o • • • bt - 1 
only if Al't ' , 0 ^ <t>. Thus T may have 2* nodes at level t. The actual number 
may be less if some of the sets AfY-1,0 are empty. (Level of root is zero.) Now 
from each of the sets AfY- 1,0 at level t of T, and for each choice of b t = 0, 1, we 
will compute Af^o- But the resulting set will be added to the tree only if it is 
non-empty. It will be argued that this breadth-first type processing of sets can 
be done in 2 48 time giving LX 0 . 

Below the two sections (3.1 and 3.2) contain our results and algorithms to 
be used in the subsequently explained attack and its complexity (Section 3.3). 


3.1 Determine AT i _ 1;0 from 7VZ i)0 

Suppose we know NZ it 0 for some i > 1. Since, 

NY ifi = NLSub \NZ ifi ) 

we can find out NY h o = (j/3-1 ■ ■ ■ yo)- Since Fast Transpose transposes every 
4x4 sub-matrix of its input, it is an idempotent function. Thus using iVY) = 
FastTr ansposef iV X, : ) we get N X, = FastTranspose(AW) and hence, 

2/31 2/27 2/23 2/19 2/15 2/n 2/7 2/3 

nx - = 2230 * 2226 * ^ 22 * ^ is * ^ i4 * ^ io * * ^ 2 * 

2/29 2/25 2/21 2/17 2/13 2/9 2/5 2/1 

.2/28 2/24 2/20 2/16 2/12 2/8 2/4 2/0 

where every “ * ” represents an unknown 4x3 matrix of bits. But NX t was 
calculated as RotateLeft ( Add 7 ,;) and so, NWi can be computed as 

NWi = Rot at eRiglit ( iV X, ) 

where j - th word of JVJ; is given a circular rotation by 8 * j + 4 bits. Hence, 

2/3 2/31 2/27 2/23 2/19 2/15 2/n 2/7 

AW- = yw * 2/6 * y2 * 2/30 * 2/26 * 2/22 * 2/18 * 2/14 * 

* 2/17 2/13 2/9 2/5 2/1 2/29 2/25 2/21 

.2/24 2/20 2/16 2/12 2/8 2/4 2/0 2/28 

where every “ * ” represents an unknown 4x3 matrix of bits. Next, we note that 
“Delta” is also an idempotent operation, and hence, NVi = Belt a (AW,). So, if 
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we write AffJ. o = V31 . . . vo then, 

«31 = 2/ 10 © 2/17 © 2/24 
vm = 2/6 © 2/13 © 2/20 
«23 = 2/2 © 2/9 © 2/16 
«19 = 2/30 © 2/5 © 2/12 
«15 = 2/26 © 2/1 © 2/8 
Vu = 2/22 © 2/29 © 2/4 
Vf = 2/18 © 2/25 © 2/0 
«3 = 2/14 © 2/21 © 2/28 

Thus, given NZi$, we know 8 specified bits of NVi$. In particular, we know 2 
bits of every byte of NVi. o- Finally note that, = NLSub -1 (ATV+o) and 

hence, given NZi$ we know 8 bits of image (NLSub) of A^-yo- To make this 
formal, let us define two functions gi(x), (J'lix) : {0, l} 32 — > {0, l} 8 as follows: 

Function gi(x) 

1 . Compute y = NLSub(x) = 2/31 • • • 2 /o 

2. Compute a = 2/3i2/272/232/i92/i52/n2/72/3 

3 . Return a 

Function <72(3;) 

1 . Compute y = NLSub -1 (2;) = 2/31 • • • 2 /o 

2 . for j = 0 , . . . , 7 do 

3 . <tj = 2/14+42 © 2/21+4? © 2/28+4j (subscripts are computed mod 32 ) 

4. end-do 

5 . Compute a = aja^a^aia^a^aiao 

6 . Return a 

Also, for a e { 0 , l} 8 , define the following sets: 

Af*(a) = {x€ {0, l} 32 : g^x) = a} (1) 

Then, using functions gi, g 2 and sets Af*(a), we have the following proposition: 
Proposition 1 . Given NZifi, there are exactly 2 24 choices of A/,- . yo given by: 
M-1,0 = -ATMA^o)) 

In particular, every byte o/Afj_i ; o can have 2 6 choices. 

3.2 Compute A/” t + 1)0 from A/^ 

For /c-bit strings 2; = Xfc_i . . .xq and r = rk- 1 . . . ro, with k > 2 , define the 
following: 

1 . m(x) will denote the string obtained from x by deleting its MSB and LSB. 

2 . /(a;, r) = (a ; fc _ 2 ■ • ■ £o|| 0 ) © ( 0 || 2 ife_i . . . 2+) © (a; A r). 
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Using this notation, y/ £ £t+i, 3 |£o,3 if and only if y/ £ £4+1,3 and, for some 
choice x/ £ £^ 3 |£o,3) we get 

m(f(xr,r)) =m(yr) (2) 

with r chosen suitably from definition of EvolveCA function given in HBB [ 1 ] . 

Lemma 1. Fix y = y 3 i . . . yo- Then y £ A//| | 0 if and only if y £ ATt+ 1,0 and 
/or some a: e A// and some e 3 i, eo £ {0,1}, 

e 3 i||m(/(a: ® NZ t $, r)) © m(lVZ t+1 ,o)||eo = y ( 3 ) 

Proof. The proof follows using equation 2 . 

To check if y £ A/j+i, 0, we use the fact that, 

Aft+ 1,0 = Af* (<72 (A Zt+2,0)) = {y ■ 9i(y ) = 92(NZ t+2fi )} 

So, we can compute A/// 1;0 as follows: Initialize sets Dl[j], 0 < j < 256 as 
empty sets. For each x £ A/// and for every e 3 i, eo £ { 0 , 1 }, we compute y as in 
equation 3 . Then insert y to the set Dl[gl(y)\. Once we have exhausted A+'q, 
we set A/t+1,0 as Dl[y 2 (TVZ t+2|0 )]. The pseudocode is given below. 

Algorithm 4 . Computation of A /"t+ 1;0 from A/// 

0 . for rl = 0 to 255 do 

1. .Dl(ul) <—(//* set initialized by <j> */ 

2. end-do 

3 . for every x £ TV// do 

4 . * <- m(f(x ONZ t , 0, r)) 0 m(ATZ4 +1 ,o) 

5 . for (e 3 i,e 0 ) € { 0 , 1 } 2 do 

6. Set y <— e 31 ||z||e 0 

7 . Add y to the set Dl[yl(y)] 

8. end-do 

9. end-do 

10. A/i+1,0 - Dl[y 2 (ATZ t+2 , 0 )] 

This computation of A/// 10 has two major advantages: First, we do not need 
to maintain the set Aft+ig (having 2 24 elements) explicitly and hence no time is 
required to handle such sets. Second advantage is that we can compute the sets 
Dl[v] for 0 < v < 256 without the knowledge of NZ t+ 2,o- This is going to be 
useful while finding the value of LX q. 

3.3 Algorithm to Determine LX 0 

All valid choices of LX 0 will be found and will constitute a list FX. Writing 
LX 0 = To.oll • • • &223, we can find FX as union of sets FX(i) that represents 
all valid choices of LX 0 with L 0 ,o = T For a given value l of L 0t0 , we will now 
construct the set FX(l). Suppose, we have a list F0(t) of tuples (y, no, rii , D[y}) 
having the following interpretation: 
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1. no represents NZ t> o when £\\bo . . . , b t = y, 

2. m represents NZ t +x,a when £\\bo ■ ■ ■ , b t = y, and 

3. D[y] represents Af^ 0 when £\\bo ■ ■ ■ b t = y. 

Then, y is an invalid choice of £\\bo . . . , b t if D[y] is empty. So, we also put the 
restriction on F0(t) that it will contain only those tuples (y, no, n\ . D[y\) for 
which D[y] is non-empty. With this interpretation, clearly FX{£) = F0(223). 
If for some t < 223 the set F0(i) is empty, then the set F0(223) is also empty. 
Hence, the following steps will compute FX (£) for F 0 ,o = $• 

Step 1 Build list F0(0) 

Using K = F^o, compute no = NZo t o = To,o © K and, initialize the list 
FO by </>. Next take, K = Fi j0 and for each b = bo e {0,1}, set y <— £\\b, 
compute Fi.o from £\\b, and then compute 

ni = NZ\ t o = Ti,o © K 

Define D[y] = TV* (fl 2 ('«!)) and add the following tuple to the list F0(0): 

(y, nO, nl, D[y\) 

provided the set D[y] is non-empty. Thus, F0(0) now looks like the following: 

F0(0) = ^|0,n o ,n 1 ,^||0]) , «o, m, D[£\\l])} 

The set £)[£||0] represents A^}}) for Lo,o = f and bo = 0. The other sets 
in the list F0(0) has similar interpretations. This completes our compu- 
tation of F0(0). In the remaining steps, we will build list F0(t + 1) from 
F0(t). 

Step 2 Set t <— 0. 

Step 3 Compute F0(f+ 1) from F0(t) 

For each tuple in F0(t), we first generate sets Dl(vl) for 0 < v\ < 256 using 
Algorithm 3. Then for every value of b € {0, 1}, we compute the correspond- 
ing A fY+\,o as follows: 

1. Compute Ft+ 2 ,o from y\\b as in Algorithm A2, Appendix A. 

2. Compute NZ t+ 2> o = L t+ 2 , 0 © AT t+2 ,o, 

3. Set D[y\\b] = Dl(g 2 {N Z t+2fi )), 

4. Add a tuple (y\\b, ni, NZ t+2 , o, D[y||6]) to F0(t+ 1) only if F[y||6] is non- 
empty. 

Note that, y\\b represents a valid choice of £\\bo . . . b t b t + 1 if and only if the 
set £%||6] is non-empty. For such valid choices of £\\bo . . . b t b t +i, the corre- 
sponding tuples are put in a list F0(t+ 1). Once, we have exhausted all the 
elements in the list F0(t), we have generated F()(t + 1). Again, elements in 
F0(t + 1) will have interpretations (similar to that) given in the beginning 
of this step. Finally, this computation of F0(t + 1) from F0(t) is presented 
in the following algorithm. 
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Algorithm 5. Compute F0(t + 1) from F0(t) 

0. for each (y,no,ni, D[y]) e F0(f) do 

1. Compute -Dl(O), . . . , £>1(255) from D[y] using Algorithm 3. 

2. for b e {0, 1} do 

3. Compute ri 2 = MZt+ 2,0 from y, b and K t+ 2 $. 

4. Set D[y\\b] = Dl[g 2 (n 2 )\. 

5. if £%||6] is non-empty 

6. then Add tuple (y\\b,ni,ri 2 ,D[y\\b]) to F0(t + 1). 

7. end-if 

8. end-do 

9. end-do 

Step 4 t <— t + 1 
Step 5 Check for loop 

If now t < 223 and the list F0(f) is non-empty, go to Step 3. 

Step 6 Compute FX(£) 

Set FX{£) <- F0(t). 

We now argue that this process does not lead to handling of infinite sets. We 
have seen empirically that for every choice of NZ 0j0 , NZi t o and NZ 2 fi, the set 
D[£\\bobi] has less than 2 21 elements for each possible choice of £\\bobi. In other 
words, the size of -D[^||6 0 &i] is at most 1/8-th of the size of D[£\\bo\- But for every 
bo, there are two choices of b\. Hence, if r]t denotes the total number of 32-bit 
strings contained in the D[ ] sets of list F0(f), then 

1 —2 
Vi < 4% = 2 rjo 

Proceeding this way, we will have rjt < ^~ t Vo- Note that, F0(0) contains two 
tuples, each of which contains a set D[ ] of 2 24 elements. Thus, t]o = 2 24 + 2 24 = 
2 25 . So, the total number of 32-bit strings contained in all F0(f) for 0 < t < 223 
is 

223 

= y 0 ^2^~ 2t < 2 26 

t=0 t>0 t> 0 

Now, from Algorithms 4 and 5, it is clear that, during the computation of 
F0(t + 1) from F0(t), each string from each set D[ ] in F0(t) will be processed 
only once. And for each such processing, we will consider four possible choices 
of C 3 i and eo. Hence the total number of computation of strings in the entire 
process of finding FX (£) is given by 
223 

4x£ % < 4 x 2 26 = 2 28 (4) 

t=o 

Now note that there are 2 32 choices of £ and so, we have proved the following: 
Proposition 2. For every fixed value of£, the set FX{£) can be computed in less 
than 2 28 time. And so, time complexity of finding the set FX is 2 32 x 2 28 = 2 60 . 
In other words, time complexity of finding LXq is 2 60 . 



A Near-Practical Attack Against B Mode of HBB 421 


Since each element in F{){t) gives rise to at most two tuples in F0(f + 1), 
and since F0(0) has two tuples, number of tuples in F0(f) will be at most 2 t+1 . 
The D[ ] sets in all these tuples will together contain ry = 2 25_2t strings. Hence 
for t > 8, some sets D[ ] are bound to be empty. For example, for k = 10, the 
list F0 is supposed to contain at most 2 11 tuples, and the D[ ] sets will have 
at most 2 5 strings. So, F0(10) can not contain more than 2 5 valid tuples (with 
corresponding non-empty set D[ ]). Thus, the list F0( ) will go on shrinking for 
t > 8. Hence, we are going to get a singleton set FX. 

Complexity of First Attack Against HBB: By Proposition 2, LX o can be 
found in 2 60 time. Time complexity for finding LY$ will be the same and so, time 
complexity of our first attack against B-mode of HBB has time complexity: 

2 60 + 2 60 = 2 61 . 


4 A Faster Attack 

This attack is almost same as the first attack, except for computation of the set 
Af^. We first note the following: Fix t > 0. Let N t>0 = H\\L where H ( L ) is a 
16-bit string and “||” represents concatenation of strings. Then, by Proposition 
1, H ( L ) will have 2 12 choices. We will denote the collection of all such choices 
of H ( L ) by HAT t ,o {FAft, o) and write Aft , o = 'HAft,o\\CAf t ,o- We will now mimic 
the computation of Af ^ 0 from the sets Aft, o 0 < i < t + 1. In the same way, we 
can compute the set HAfY,o from the sets ’HAftp 0 < i < t + 1. The pseudocode 
is given in Algorithm A3, Appendix A. Similarly, we can compute CA f\ 0 . (For 
pseudocode, see Algorithm A4, Appendix A.) Clearly, Af^ 0 will be a subset of 
r fiAfY,o\\JfAfY,o- ^ f° r any t, one of the sets HAfY,o or CAf^p is empty, so will be 
Afifl. So, we will only compute HAfYp f° r t >0. The computation follows similar 
steps as in Section 3.3. Thus, our faster attack can be described by the following 
algorithm: 

Algorithm 6. Sketch of faster attack 


Guess £\\bo ■ ■ ■ b t - 
Compute 

Lo,o 

In.o 

• • ^-1,0 

L tt o (unique choice) 

Compute 


NZ lfi 

• • NZ t _ i,o 

NZ t , 0 (unique choice) 

Compute 

nATofi HAT i,o 

• • HAf t - ic 

i TLAft.o (2 12 choices) 

Compute 

HAfl o HAfX, 0 • 

.. HAfU, 

, (shrinking sets) 


For computations of HAf^o: we introduce the following functions: 

Function g 3 (x) : {0, l} 16 — > {0, l} 4 

1. Compute y = NLSub(x) = 3/15 . . . yo 

2. Compute a = y\ 3 y\iy-jy 3 

3. Return a 




422 


J. Mitra 


Function g 4 (x) : {0, l} 32 — > {0, l} 4 

1. Compute y = NLSub _1 (a;) = 2/31 . . . yo 

2. for j = 0, . . . , 7 do 

3. aj = yi4+4j 0 2/21+4 j 0 1/28+4 j (subscripts are computed mod 32) 

4. end-do 

5. Compute a = ardea^M 

6. Return a 

Function g$(x) : {0, l} 32 -+ {0, l} 4 

1. Compute y = NLSub _1 (a;) = 2/31 • • • 2/o 

2. for j = 0, . . . , 7 do 

3. (ij = 2/i4+4j 0 2/21+4; 0 2/28+4 j (subscripts are computed mod 32) 

4. end-do 

5. Compute a = a3a2<ziao 

6. Return a 

Now for a £ {0, l} 4 , defining the sets J*(a ) = {x £ {0, l} 16 : gz{x) = a}, we 
get the following from Proposition 1: 

KAfi-i , 0 = J*(g4NZ if0 )) and, CAf i-i , 0 = J* (g 5 (N 

where each set J*{ ) contains 2 12 elements. The pseudocodes are given in Algo- 
rithm A3 and A4 of Appendix A. We have seen empirically that, for t > 0, 

size of HAfY+i n 1 si ze °f £AfY +1 0 1 

-rr^ < — — and, 7^ < — = 

size of HAfl 0 2y/2 size of £A ( l ' () 2^/2 

So, in this revised faster attack, each initial tuple contains one set, of cardinality 
2 12 (as opposed to 2 24 elements in the first attack). Define ir t to be the sum of 
cardinalities of all surviving HAfY,o se t s ; f° r all values of £\\bo ■ ■ . b t with fixed l. 
Then, 7 Tt < ^7r t _i. So, the complexity of finding FX (£') for a given £ is 

223 223 / v t 

as opposed to 2 28 (equation 4) for the first attack. So, this revised attack is faster 
than the first attack by a margin of 2 n (= 2 28 /2 17 ). In other words, the time 
required to find L 0 is given by: 2 61 /2 n = 2 50 . 


5 Conclusion 

We have presented an attack against the B mode of HBB. The time complexity of 
the attack is 2 50 requiring 225 blocks of plaintext to be known. Thus, HBB using 
even 128-bit secret key is also not secured. We think there are certain design 
weaknesses in HBB shown by our attack: (1) Improper use of CA generator. 
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knowing any p bits of the CA at any point of time ensures that one knows p — 2 
bits of the CA in the next time point. This is crucial and previously unobserved 
property of the CA. Compared to an LFSR, it is this property that makes CA 
much more susceptible to guess-then-determine attacks. This is a lesson on the 
secure CA usage. (2) The key stream is produced by XORing a portion of the 
linear and the nonlinear part. Further the nonlinear part is updated by mixing 
a separate portion of the linear part into it. While this mixing is necessary, the 
manner in which it is done is not correct. The linear part is simple XORed 
into the nonlinear part creating a weakness that can again be exploited in a 
guess-then-determine attack. (This property allows the recent algebraic attack 
on HBB.) On the other hand, SNOW also updates the nonlinear part by mixing 
with the linear part. But this mixing is effected by an addition modulo 2 32 . In 
fact, as has been recently observed that if this addition is replaced by a XOR, 
SNOW also becomes weak and susceptible to algebraic attacks [6]. (3) Too much 
of the state is revealed by HBB. In order to achieve efficiency, the entire nonlinear 
part is mixed with a portion of the linear part to produce the 128-bit keystream 
block. Again this is an undesirable thing to do and makes the verification stage 
of the guess-then-determine attack easier. Thus, to develop a cipher using CA, 
a designer should avoid the above pitfalls. 

If an LFSR is used instead of a CA, then the described attack will not hold. 
Whether the attack can be modified to also hold for LFSR is still an open 
problem. Implementation of the attack can be obtained from the author. 
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Appendix A 


Algorithm Al. Compute o 0 < i < t from £\\bo ■ ■ ■ bt-i 
1- TZo,t <— most significant 32 + f bits of IZo 

2. x <— f||6o • • • b t -i; L 0 ,o = t; 

3. for i = 0 to t — 1 do 

4. i^(i«l)®(i»l)0(xAR o , t ); 

5. -bi+i,o = most significant 32 bits of x ; 

6. end-do 

Algorithm A2. Compute L t+2 ,o from 1 1|6 0 • • • b t +i 
1- x <— f||6o • • • btbt+ 1 ; 

2. for * = 0 to t + 1 do 

3. x^{x « 1) ® (x » 1) ® (x A TZ 0 ,t+i) ; 

4. end-do 

5. L t + 2,0 = most significant 32 bits of x ; 

Algorithm A3. Computation of TlJ\fY+i,o from 'HAl'Yo 

1. for ul = 0 to 15 do 

2. #£> 1 ( 111 ) <—</)/* set initialized by */ 

3. end-do 

4. lVZ t+ i,o = nzt+i,i\\nzt+i,o /* each sub-string has 16 bits */ 

5. 7VZ tl o = nz t ,i\\nzt,o /* each sub-string has 16 bits */ 

6. for every x £ do 

7. 2 <- m(/(a;® nz t ,i,rl)) ® m(nz t +i,i) 

8. for (<S 3 i, (5 i 6 ) £ {0, l} 2 do 

9. Set 2 * <— <5 3 i||2||<5i6 

10. Add 2 * to the set HDl(g 3 (z*)) 

11. end-do 

12. end-do 

13. 7WY+i } o <- HDl(g 4 (NZ t+ 2 ,o)) 

Algorithm A4. Computation of £AfY+i,o from £J\fY,o 

1. for vl = 0 to 15 do 

2. LDl(vl) <— 4> /* set initialized by 0 */ 

3. end-do 

4. NZ t+ i,o = n 2 t+ i l i||n 2 t+ i,o /* each sub-string has 16 bits */ 

5. NZt,o = n2t,i||n2t,o /* each sub-string has 16 bits */ 

6. for every x € CA'Yxi do 

7. z <- m(f(x®nzt,o,rO))®m(nzt+i,o) 

8. for (<Si 5 , <5 0 ) € (0, l} 2 do 

9. Set 2 * <— <5i5||2||5 0 

10. Add 2 * to the set LDl(g 3 (z*)) 

11. end-do 

12. end-do 

13. £AfY +1 , 0 ^LDl(g 5 (NZ t+2 , 0 )) 

Here, rl and rO are chosen suitably from IZo (Section 2). 
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Abstract. In this paper, we revisit the famous Davies-Murphy crypt- 
analysis of DES. First we improve its complexity down to the analysis 
of 2 45 chosen plaintexts, by considering 6 distributions instead of 7. The 
previous improvement of the attack by Biham and Biryukov costed 2 80 
known plaintexts. This new result is better than differential cryptanaly- 
sis but slightly worse than linear cryptanalysis. Secondly, we explore the 
link between this attack and other cryptanalysis techniques, in particular 
linear cryptanalysis. 


1 Introduction 

DES (Data Encryption Standard) is a popular encryption algorithm published 
in the late 70’s by the American National Bureau of Standards (NBS) for gov- 
ernmental use [12]. DES is a block cipher encrypting blocks of data of length 64 
bits under a secret key of length 56 bits. DES quickly became a popular cipher 
and is still widely used today. Although it has been replaced by the more recent 
AES [13], DES is still an attracting topic for cryptographers. Indeed 64- bit block 
algorithms remain in use in many cryptographic devices and the migration to 
AES is quite slow. 

Given the large amount of research on the topic, DES has surprisingly well 
resisted to cryptanalysis. In practice, the best way of attacking DES is by brute 
force on the 56 bits of the key. This is feasible with large resources and can be 
achieved using a dedicated hardware or a large cluster of standard machines [7[. 
Another topic of analysis has been the research of shortcut attacks (faster than 
exhaustive search). Several results have been published since the early 90’s : 

— Differential Cryptanalysis [4] has been the first published theoretical 
cryptanalysis of DES. This technique, proposed by Biham and Shamir, re- 
quires to encrypt (under the same key) 2 47 chosen plaintexts. 

— Linear Cryptanalysis [11] was published shortly after by Matsui. It is 
slightly more efficient than Differential Cryptanalysis, since it requires about 
2 43 known plaintexts. This attack was implemented by Matsui and the ex- 
perience was repeated afterwards and even slightly improved [8, 9, 15]. 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 425-442, 2005. 
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Table 1 . Summary of Cryptanalysis of DES 


Cryptanalysis Technique 


Time Complexity Data Complexity 


Exhaustive Search 
Linear Cryptanalysis [11] 

Bi-Linear Cryptanalysis [5] 
Differential Cryptanalysis [4] 
Davies-Murphy Cryptanalysis [3, 6] 
This paper 


2 s5 1 known plaintext 

2 43 2 43 known plaintexts 

~ 2 43 ~ 2 43 known plaintexts 

2 47 chosen plaintexts 
2 50 known plaintexts 
2 45 chosen plaintexts 



— Bi-Linear Cryptanalysis [5] was published recently at Crypto 2004. It is 
an extension of Linear Cryptanalysis using some particular quadratic ap- 
proximations instead of linear ones. Its complexity is roughly the same as 
Linear Cryptanalysis and the two techniques appear to be closely related. 

— Davies-Murphy Cryptanalysis [6] is a dedicated attack against DES. 
The starting point was the observation by Davies that adjacent pairs (and 
triplets) of S-boxes in DES produced unbalanced output. At first, it was 
believed the attack was slower than exhaustive search. However, in 1995, 
Biham and Biryukov [3] demonstrated how to improve these results. Their 
resulting attack costs 2 50 known plaintexts, which is worse than Linear or 
Differential cryptanalysis, but still represents a theoretical break of DES. 

— There exists other attacks like differential-linear attack or partitioning at- 
tacks. 

In this paper, we propose a further improvement of the Davies-Murphy crypt- 
analysis. Our new attack requires to encrypt and process 2 45 chosen plaintexts, 
in order to recover the secret key. Therefore our results place the attack between 
linear cryptanalysis and differential cryptanalysis in terms of complexity (see 
Table 1). 

Also, our improved attack is very closely related to linear cryptanalysis (we 
use a biased linear combination of intermediate bits). It is already well known 
(with Biham’s work [2] in particular) that Matsui’s attack and Davies-Murphy 
attack are closely related. In Section 4, we further explore this relation in the 
general case. We prove that linear distinguishers become almost optimal after 
several convolutions, which explains the convergence observed between the com- 
plexities of both attacks. It also shows that Davies-Murphy cryptanalysis cannot 
significantly outperform hnear cryptanalysis. 

2 DES and Davies-Murphy Cryptanalysis 

2.1 DES 

DES [12] was published in 1977. It is a Feistel cipher (see Figure 1) with 16 
rounds. DES operates on a 64-bit block of data, which is split in two halves of 
equal length. 

The round function F of DES (also see Figure 2) first expands the state 
from 32 to 48 bits using a hnear expansion E. Then a 48-bit subkey K is added 
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Fig. 1 . General Structure of a Feistel cipher 


bitwise to the state before a layer S of S-boxes is applied. This layer is built with 
8 different S-boxes applied in parallel, each taking 6 input bits and producing 
4 output bits. Therefore the layer S reduces the state size from 48 to 32 bits. 
Finally the state is permuted with a function P. Therefore 

F(x) = PoS(K®E(x)) 

Even though this round function is not bijective, the Feistel network remains 
invertible by construction. However a consequence of the non-invertibility is that 
for a given key, some outputs are produced more often than others by the round 
function F. This causes a natural imbalance in the cipher. The general idea of 
Davies-Murphy cryptanalysis is to take advantage of this property. 


2.2 Pairs of Adjacent S-Boxes 

Any pair of adjacent S-box of DES "shares" two input bits (see Figure 2). To 
detail this phenomenon, we focus on the pair of S-boxes (Si , S 2 ) and call (Vi , V 2 ) 
the corresponding outputs. We want to observe the distribution of (Vl, V 2 ) for a 
fixed key and a random round input. 


SUBKEY ADDITION 


SI S2 S3 S4 S5 S6 S7 S8 


PERMUTATION 


Fig. 2. The round function F of DES 
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The Output of Adjacent S-Boxes is Not Balanced 

Let {xi}i= 1...32 be the round input bits and {fcj} i= i... 48 the bits of the subkey K. 
It directly follows from the specifications of DES that the input of Si - denoted 
A = (ai, ...,a 6 ) - is 

A= ( X 32 ,Xi,X 2 ,X 3 ,X 4 ,X 5 ) ® (kl, /C2, &3, fc 4 , k$, ke) 

Similarly, the input of S2 - denoted B = (iq, ..., be) - is 

B = ( X 4 ,,xe,xe,X 7 ,X 8 ,xg ) ® (kr,ks,kg,kio,kn,ki2) 

An important observation is that X4 and X5 are used twice : once in A and once 
in B. Suppose that the x,;'s are random, then A and B are also random, except 
they have to verify the constraints : 

as ® bi = k$ ® k 7 (1) 

ae ® &2 = ke ® k 8 (2) 

Hence for a pair of adjacent S-boxes, like (Si,S2), the output distribution de- 
pends on two key bits s = ke ® fc? and t = ke CD kg. 

The Imbalance Depends on 1 Key Bit Only 

DES S-boxes have a very particular form. Indeed, when the leftmost and right- 
most input bits are fixed, each Si performs a permutation of the remaining 4 
input bits. A subtle consequence of this property is that the distribution of 
(Vi, V2) does not depend on (s, t ) but only on s ® t. In this section, we explain 
why this property is true. 

Fix a target output called (21,22)- Each 2,; has exactly 4 preimages due to 
the row structure of the DES S-boxes. Hence there are 4 inputs of S\ (one in 
each row of the S-box) such that V\ =21. Similarly 4 inputs of S2 yield V2 = 22. 
The total number of preimages of (21, 22) is thus 4 x 4 = 16 where each solution 
is formed with an input of Si combined with an input of S2 . Let N( s be the 
number among these 16 solutions that also satisfy the constraints (1) and (2) on 
s and t. Clearly, 

-^(0,0) + JV(o,i) + %,o) + = 16 ( 3 ) 

For a fixed key, the probability p(zj , 22) to obtain the output (21,22) is related 
to the quantity JV( St t) by the formula 

x 2- 10 

Besides we can use symmetry arguments : since the bit ae is used to index the 
rows of the S-box Si, it is well balanced among all preimages. So exactly half 
of the 4 S'i -preimages of 21 satisfy a$ = 1. Since all preimages of (21,22) are 
obtained by choosing independently a S’i - preimage of 21 and a SVpreimage of 
22, then t = ae ® &2 is balanced among these 16 preimages and : 


JV( 0 ,o) + %,o) = JV( 0 ,i) + -^(1,1) = 8 


(4) 
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Using the same symmetry argument on the bit b\ we see that 
N m + i) = 8 

Putting together (4) and (5) we deduce : 


(5) 


tf(o,o) = ^(1,1) 

W(0,1) = ^(1,0) 


Hence the output distribution of adjacent S-boxes depends only on the key- 
dependent bit k defined as 


k = s ® t = &5 ® &6 © kr ® fcs 


An Example 

Two output distributions are therefore possible for (Si, $ 2 ) depending on the 
key-dependent bit k. Call T > o (resp. T> i) the distribution corresponding to the 
case k = 0 (resp. k = 1). For instance T>i (z\ . z%) is the probability that the 
output of (Si, S 2 ) is {z\ , Z 2 ) when k = 1. 

The full distribution is represented in Table 2. It is interesting to notice that 
©0 and T>\ are symmetric : they sum up to the uniform distributions. Denote 
by a single variable x the eight bits of (zi , 22 ). Then : 


D 0 (x ) + X>i(x) 


1 

256 


2 


Hence, although the output is not balanced for a fixed key, it is globally balanced 
over all keys. 

2.3 The Resulting Imbalance on 16 Rounds 

Since DES is a Feistel cipher, the XOR of plaintext and ciphertext is the XOR of 
8 round outputs (see Figure 1). We focus on the output of adjacent S-boxes, like 


Table 2. Output distributions for (Si, S2). Values in the table should be divided by 
1024. 
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Si and S ‘2 ■ 1 For these 8 bits, unbalanced distributions (like the one described in 
Table 2) are produced at each round. After XORing these outputs, the result is 
a convolution of several distributions of the form P/.. 

At first, one could expect the convolution of t output distributions to depend 
on t key-dependent bits, i.e. one bit per distribution. However it can easily be 
shown that only the parity of these t bits matters. For instance, consider the 
distribution Pi X P \ obtained by the convolution of P i with itself. 

Pi X ©i(s) = ^Pi(a) Pi (a ex) 

= E(4- c °<“>) (as- 1 **®*’) 

= 4“ ie~ jfg + X>C«)i>o(«®»> 

= ^P 0 (a) Po(a © x) 

= P 0 x Po(s) 

So it is equivalent to compose Po with itself or Pi with itself. More generally 
only matters the parity of the t key-dependent bits involved. By extension, we 
simply denote Pq (resp. Pj) the distribution after t convolutions when the parity 
bit is 0 (resp. 1). If an attacker can efficiently distinguish these two distributions, 
he learns one bit of information about the key. However, this analysis requires 
a large amount of pairs (plaintext, ciphertext) because distributions are almost 
uniform after a few convolutions. 


2.4 Application to Cryptanalysis 

The problem of distinguishing two distributions is a classical topic in the litera- 
ture, since it is related to many cryptanalysis problems (see [1] for example). In 
the particular case of DES, the problem is to distinguishing P® from P®. One 
of these two distributions should be observed when XORing 8 appropriate bits 
from the plaintext and the ciphertext. 

Davies and Murphy estimated in [6] the number of samples necessary to 
distinguish reliably theses 2 distributions. For several pairs of adjacent S-boxes, 
these results are summarized in Table 3. The results depend highly on which pair 
is considered. In particular, (,SY, Sg) is the most favorable pair for the attack, 
although it falls short above the 2 56 limit. Therefore it was first believed that 
Davies-Murphy cryptanalysis could not break DES. 

Later, further improvements of Davies-Murphy cryptanalysis have been pro- 
posed. Biham and Biryukov suggested to use 7 convolutioned distributions in- 
stead of 8. So their approximation no longer takes into account the full DES but 
only 15 rounds and accordingly an additional analysis is needed to handle the 

1 After the permutation P, the corresponding bits are 2, 9, 13, 17, 18, 23, 28 and 31. 
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Table 3. Number of known plaintext needed for a 97% success rate 


Pair of S-boxes 

(1,2) 

(2,3) 

(3,4) 

(4,5) 

(5,6) 

(6,7) 

(7,8) 

(8,1) 

Complexity 

2 660 

2 69 ' 3 

2 85 ' 6 

2 70 ' 6 

2 71 ' 6 

2 660 

2 s6 - 6 

2 77,3 


first (or last) round. The resulting attacks works by processing only 2 50 known 
plaintexts, which is better than exhaustive search. 

More recently, other extensions of Davies-Murphy Cryptanalysis were pub- 
lished. Pornin analyzed how to improve the resistance against the attack [14], 
and Kunz-Jacques et al. suggested to use the attack for side channel analysis [10]. 

3 Improving Davies-Murphy Cryptanalysis 

In this section, we propose a new improvement of Davies-Murphy cryptanalysis. 
Our general idea is to use the convolution of only 6 distributions of round out- 
puts (Davies and Murphy used 8 distributions [6], Biham and Biryukov only 7 
distributions [3]). Therefore we approximate the behavior of only 13 rounds of 
DES. We take into account the 3 remaining rounds, but chosen plaintext is then 
needed, and several additional algorithmic tricks must be used. 


3.1 General Framework 

Like many statistical cryptanalysis, our attack is decomposed in three main 
phases. 


— First we identify an internal object in the cipher that does not behave ran- 
domly. This statistical imbalance can be used to distinguish its behavior 
from a random one. Generally, such an object needs to be predictable from 
the plaintext, the ciphertext and eventually several key bits. 

— Then we encrypt a large number of (chosen) messages and remember only a 
small part of information about each result. Typically, we store the number 
of occurrences of a small pattern of plaintext/ciphertext bits. 

— Finally, we reconstruct the internal object from the collected data. This 
phase generally contains some partial exhaustive search and the statistical 
properties of the object are used as a stopping condition. Eventually we want 
to retrieve the secret key faster than exhaustive search. 


3.2 The Internal Object 

Davies-Murphy cryptanalysis targets the distribution of 8 bits from the round 
output, which are obtained from 2 adjacent S-boxes. After t convolutions, the 
resulting distribution is denoted Vq or V\ depending on the value of a key- 
dependent parity bit. Previous papers [3, 6] require to distinguish between these 
two distributions. Our attack has two important differences. 
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Table 4. Comparison of several distinguishers for Davies-Murphy cryptanalysis 


Pair of S-boxes 

(1.2) 

(2,3) 

(3,4) 

(4,5) 

(5,6) 

(6,7) 

(7,8) 

(8,1) 

Opt. Dist. t = 1 

2 4 ' 4 

2 41 

2 e.s 

2 4 - 7 

2 s - 4 

2 51 

2 4 ' 2 

2 5 ' 7 

Best. Lin. Dist. t = 1 

2 8 

2 8.83 

2 10.83 

2 8.83 

2 8.83 

2 8 

2 6.83 

2 9.66 

Opt. Dist. t = 6 

2 47 ' 9 

2 49.6 

2 62 

2 50.9 

2 S1.9 

2 47 ' 9 

2 40.8 

2 55.9 

Best. Lin. Dist. t = 6 

2 48 

2 53 

2 65 

2 53 

2 53 

2 48 

2 41 

2 58 

Opt. Dist. t = 8 

2 64 

2 67.3 

2 83.6 

2 68.6 

2 69.6 

2 64 

2 54.6 

2 75.3 

Best. Lin. Dist. t = 8 

2 64 

2 70.6 

386.6 

2 70.6 

2 70.6 

2 64 

2 S4.6 

2 77 ' 3 


First we need to distinguish one of these two distributions (it does not mat- 
ter whether the parity bit is 0 or 1 due to symmetry properties) from a uniform 
distribution. Secondly, to reduce the cost of the data collection, we propose to 
focus on the linear combination of these 8 bits with the strongest bias. Natu- 
rally, such a linear distinguisher cannot be more efficient than the optimal 
distinguisher, but it requires the storage of only 1 bit of information (instead 
of 8 bits) which turns out to be crucial for the data collection and data analysis 
phase. 

Table 4 compares the samples needed by the optimal distinguisher and the 
best linear distinguisher for a fixed probability of success. 

The complexities obtained are very similar for both distinguishers. This com- 
parison is further developed in Section 4. Here we are interested by t = 6 and 
target the most favorable pair of S-box, i.e. ( SV , 5's)- We computed that the best 
linear combination A is 

A(X) = X 5 © X 7 ® Xi2 © X21 © X22 © X27 © Z 3 2 

where X = (aq, . . . , .r. 32 ) is the output of the round function F. We have 

Pr[X(X) = 1] = 0.5 (1 ± 2 -3 ' 4 ) = 0.5 ± 0.046875 

depending on the key. After 6 convolutions, we have 

Pr[ X{X) = 1] = 0.5 (1 ± (2 -3 ' 4 ) 6 ) = 0.5 (1 ±2- 20 - 5 ) 

The amount of data needed for the corresponding distinguisher is about 2 41 
samples. 


3.3 The Data Collection 

In the following we do not take into account the initial and the final permutation 
of DES. Let ( Pi) iel 6 4 denote the plaintext bits. The left branch of the plaintext 
is called pl = (pi , ■ ■ ■ , P32) and the right branch pp> = (p 33, . . . , pm). Similar 
notations are used for the ciphertext bits c t . In this data collection phase, we 
encrypt n messages that verify 
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PLAINTEXT 



CIPHERTEXT 

Fig. 3. Summary of the data collection phase 

— The left branch of the plaintext pl is chosen at random 

— 14 bits of the right branch are also random : (p 50 , . . . , pea)- These bits are 
involved only in S-boxes Sg . Sg , Sr and Sg. 

— The 18 remaining plaintext bits are set to an arbitrary but constant value. 

Given the degrees of freedom, n cannot exceed 2 46 . For each encryption, we 
store the following piece of information 

— The bit A (p R ) ® A (c R ) 

— The 14 bits (pso, . . . ,P 63 ) from the plaintext, which are involved in the S- 
boxes Sg . Sg , SV and Sg of the first round. 

— The 10 bits (pi,P 24 , • ■ ■ ,P 32 ) from the plaintext, which are involved in the 
S-boxes Sj and Sg of the second round. 

— The 10 bits (ci, C 24 , . . . , C 32 ) from the ciphertext, which are involved in the 
S-boxes Sr and Sg of the last round. 

Hence we have a pattern of 1 + 14 + 10 + 10 = 35 bits to store. For sake of 
efficiency, we only store the number of occurrences of each pattern in a table. 
This requires a table of size 2 35 , where each entry in the table is a counter 2 . 

This data collection phase is detailed in Figure 3. X and Y denote two 
intermediate states in the right branch of the Feistel. U is the output of the 

2 Two bytes should be sufficient to store the counter, since each pattern occurs in 
average 2 40 x 2 ~ 38 = 1024 times. 
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1-st round, V the output of the 2-nd round and W the output of the 16-th 
round. X ® Y is the XOR of 6 round outputs so X(X CD Y) is not uniformly 
distributed according to the results of Section 3.2. However this object is not 
directly accessible. The purpose of storing these pieces of information about each 
message is to later predict A(X CD Y) in the data analysis phase. 

3.4 The Data Analysis 

We want to predict X(X ® Y) from the data collected previously. For that pur- 
pose, we use the following relation : 

X(X ® Y) = X (p R ) © A(cr) ffi X(V) © A(W) (6) 

Notation f/j, Vj and is used to denote the bits from U, V and W. 

The general idea of the attack is to perform an exhaustive search on a portion 
of the key bits. The pattern bits previously stored allow to determine the value of 
A(U) and A (W) in each case. Hence we determine all the terms involved in (6) and 
eventually predict how many times A(Xffiy) is equal to 1 among the samples. For 
the correct guess, this number should be significantly far from half of the samples. 

Unfortunately, such a direct approach is way too expensive. Hence we need 
to decompose the attack in several steps. At each step, we only guess a few key 
bits, derive some intermediate information, and immediately get rid of what is 
no longer needed in the initial pattern. 

Let us detail the first step. The starting point is the table built in the 
data collection phase. We refer to it as To- Guess the following 6 bits from 
the secret key : (K 7 , K 2 i, K 2 2, -K39, K 53 , K 63 ). They are XORed to the bits 
(c28j C29, C30, C31, C32, ci) before S-box Sg at round 16. Hence we can determine 
Sg’s output and in particular the combination Wg © W21 ffi IT 27, which is a por- 
tion of the term A (W). After this step, 4 bits from the ciphertext are no longer 
needed. Thus we replace Tq by a new table T\ of size only 2 31 where the number 
of occurrences of the following 31-bit pattern is stored : 

— The bit A (p R ) ffi A (c R ) ffi W 5 ffi W 2 \ ffi W 27 

— The 14 bits (pso, . . . ,726,3) from the plaintext 

— The 10 bits (pi,p24, • • • ,P32) from the plaintext 

— The 6 bits (C24, . . . , C29) from the ciphertext, which are involved in the S-box 

S7 of the last round. 

In the second step, we guess 6 additional key bits which are involved in S 7 
at round 16 : R4, Kq, K23, -K29, K^. Up to this point, 12 key bits have 

been guessed. Then we use the remaining 6 ciphertext bits in Tj to predict 
W 7 ffi W12 ffi W22 ffi W32 • Now we know all of A(W) and can get rid of all ciphertext 
bits. Hence we replace Tj by a new table T2 where the number of occurrences of 
the following 25-bit pattern is stored : 

— The bit X(p R ) ffi A(cb) ffi A(W) 

— The 14 bits (pso, . . . ,P63) from the plaintext 

— The 10 bits (pi,P24, • • • ,P32) from the plaintext 
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Table 5. Successive steps of the data analysis phase 


Step 

Key bits guessed 

Total bits guessed 

Old table 

New table 

Time complexity 

0 


0 


2 35 

2 35 

1 

7,21,22,39,53,63 

6 

2 S5 

2 s 1 

2 41 

2 

4,6,23,28,29,46 

12 

2 31 

2 25 

2 43 

3 

37, 54 

14 

2 25 

2 23 

2 39 

4 

5, 30, 47 

17 

2 2S 

2 19 

2 40 

5 

15, 20, 38, 61 

21 

2 19 

2 15 

2 40 

6 

13, 14, 31, 45, 55, 62 

27 

2 15 

2 11 

2 42 

7 

3 internal bits 

30 

2 11 

2 7 

2 41 

8 

4 internal bits 

34 

2 7 

2 1 

2 41 


Similarly, the next steps of the analysis allow us to predict the term A(F) 
in relation (6). To that purpose, we first need to predict some bits of U. These 
steps are detailed in Appendix A. 

Table 5 summarizes the successive steps of this data analysis phase. At each 
step, the complexity corresponds to the number of bits guessed multiplied by 
the size of the table to manipulate. The maximal complexity reached during the 
analysis is of 2 43 . 

After step 8, we have guessed a total of 34 bits, among which 27 are directly 
key bits. So we know how many times X(X CD Y) is equal to 1 using the relation 
(6) and the content of table T%. Then we can apply our statistical distinguisher 
to determine the correct guess among the 2 34 — 1 wrong guesses. 

3.5 Finishing the Attack 

How to finish the attack depends on the exact probability of success of the linear 
distinguisher, and thus on the number of samples n. Generally one assumes that 
both distributions occur with the same probability. Then, the probability Pf a 
of false alarm (i.e. the probability that a wrong guess is identified as correct) 
is the same as the probability P n d of non-detection of the correct key {i.e. the 
probability that a correct guess is identified as wrong). But here we need to 
identify one correct guess among 2 34 — 1 wrong guesses, so the crucial point is to 
have a low probability of false alarms. Therefore we propose several trade-offs. 
First, we set P n( i to 50%. Then we have Pf a = <j){Vd) where d is a parameter 
computed from the number of samples n (see Section 4 for more details) and <j> 
is defined as 



Secondly, we set P n ,i = 15.86%. This gives Pf a = (j){Vd — 1). Table 6 presents 
various numeric applications. The number of samples n cannot exceed 2 46 be- 
cause we do not have enough degrees of freedom. It is not possible to completely 
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Table 6. Probability of false alarm depending on n and the scenario 


n 

d 

Case P a = Pud 

P nd = 50% 

P nd = 15.86% 

2 41 

1 

30.85% 

15.86% 

50% 

2 42 

2 

23.98% 

7.86% 

22.94% 

2 43 

4 

15.86% 

2.28% 

15.86% 

2 44 

8 

7.86% 

2 -8.74 

3.37% 

2 45 

16 

2.28% 

2-14.95 

2-9.53 

2 46 

32 

2 -8 ’ 74 

2-26.95 

2-19.25 


eliminate false alarms as Pf a is always greater than 2 -34 . But false alarms can 
be discarded by guessing the remaining key bits and testing each candidate with 
a couple (plaintext, ciphertext). Since 34 key bits are guessed in the core of the 
attack 3 , there are only 56 — 34 = 22 bits left to guess. 

Suppose we pick n = 2 45 samples and fix the probability of non-detection to 
50%, then the number of false alarms is 

P fa x 2 34 = 2 19 05 

Guessing the remaining 22 bits brings the complexity up to 2 41 05 candidates. 
One couple (plaintext, ciphertext) is then enough to identify the full secret key. 


3.6 Summary 

— The memory complexity of the attack is always the size of To, be a table 
containing 2 35 entries of 2 bytes each. 

— The time complexity of the attack is at least the complexity of the data 
analysis, be. 2 43 steps of computation. 

— The data complexity of the attack can range between n = 2 41 and n = 2 46 
chosen plaintexts. In all cases, the key recovery is faster than exhaustive 
search, but the exact complexity depends on n. 

— For example, when n = 2 45 , the full secret key can be recovered with proba- 
bility of 50% after 2 41 trial DES encryptions. This is the trade-off we suggest 
to use. 

4 Link Between Davies-Murphy Cryptanalysis and 
Linear Cryptanalysis 

It is known since Biham’s work [2] that there exists an underlying linear attack 
with similar complexity as Davies-Murphy’s attack. In this paper, we also use a 
biased linear combination of bits, in order to improve the Davies-Murphy attack. 
Therefore a natural question is to explain the link between both techniques, in 
the general case. 

3 7 are only intermediate bits, but they give a condition on a few key bits. Hence their 
entropy is equivalent to 7 key bits in practice. 
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An important parameter is the data complexity ratio between the optimal 
distinguisher (used in the Davies-Murphy original cryptanalysis) and the best 
linear distinguisher for outputs of pairs of adjacent S-boxes. As seen in Table 4, 
the more rounds are applied, the closer the complexities are. In this section, we 
explain this phenomenon and account for the exact values of the ratios observed 
in Table 4. We show that, due to the effects of the convolutions, the same phe- 
nomenon will always be observed, independently of the original distribution. To 
some extent, this shows that linear cryptanalysis is always optimal. 

4.1 Optimal vs Best Linear Distinguishers 

Suppose we have a random variable X that follows a distribution V or the 
uniform distribution U. (in the Davies-Murphy case, T> = T > q or T>\ for some t). 
Let S = {0, . . . , 2"} be the image set of X. Our goal is to distinguish between 
theses two distributions. Basically, there are two approaches : we can use the best 
(optimal) distinguisher, or we can restrict the analysis to linear distinguishers 
only. 

Optimal Distinguisher. It is well known (see [1] for instance) that the optimal 
distinguisher between V and U has probability of error 

P e = — [ e~^ u du 

V^J-OO 

when the number of samples n is related to the parameter d by 



and A(V) is the Squared Euclidean Imbalance (SEI) of V from U. If for any 
x £ S, 'D(x) denotes the probability that X = x, the SEI is computed as 

A{V) = \S\Y J {v{x)-^j 

Linear Distinguisher. Consider a linear combination X(X) of the bits of X. 
Suppose that, when X follows T>, it satisfies : 

Prv[\{X) = l] = \{l+e) 

then it is well known that about n = e 2 samples are needed to detect this bias. 
We introduce the usual notation 

LP{ A) = (Pr v [X(X) = 1] - Pr v [X(X) = 0]) 2 = e 2 

The question is to determine the LP max = max>{Lf 3 (A)} of the best linear 
distinguisher for a given distribution V. By definition, it requires more data 
than the optimal distinguisher, but we are interested into the ratio between the 
two complexities. 
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Relation Between A(T>) and LP ma:E . Using the Fourier transform (see 
Section 2.4 of [1]), one shows that 

A(V) = Y,LP( A) (7) 

A/0 

Therefore we can derive the following bound for the ratio between the two data 
complexities : 

LPmax < < (2” - 1 )LP max 

It can be shown that both bounds are actually tight, so the best linear dis- 
tinguisher can be significantly worse (up to a factor of 2”) than the optimal 
distinguisher. However, in Davies-Murphy cryptanalysis, we are dealing with 
particular distributions. 

4.2 The Case of Davies-Murphy Cryptanalysis 

The target distribution T>\ in this case is obtained after t convolutions. In prac- 
tice, when t grows, the ratio apparently gets small (see Table 4). In this Section, 
we explain the ratios observed. Since linear biases are just multiplied after each 
convolution, (7) can be re-expressed as : 

A(Vj) = J2 LP W t (8) 

A/0 

where LP(-) are computed with respect to the base distribution T>j (by symmetry 
it does matter whether the parity bit i is 0 or 1). 

Suppose now that there are m < 2” — 1 linear forms whose LP is equal to 
LPmax , and that all other A are such that 

LP( A) < aLP max 
for some 0 < a < 1. Then (8) yields 

m ( LP max y < A(V\) < (m + o ! t (2 n - 1 - m)) (LP max )‘ 

When t is big enough, then a 1 <C 1 and 

A(D$)~m{LP max y (9) 

We can compute LP max and m in the case of DES. These results are summarized 
in Table 7. 

In practice, the approximation of equation (9) accurately predicts the max- 
imum linear bias and the loss between optimal and linear distinguishes. The 
weakest couples of DES S-boxes w.r.t. linear distinguishers are the ones that 
have a small number of linear forms reaching the maximum bias LP max . For 
the best pair of S-boxes [Sy, Sg), LP max is only reached once, so the ratio be- 
tween both distinguishers is almost 1 after 6 convolutions. Hence, replacing the 
optimal distinguisher with the best linear one does not result in a significant 
deterioration. 
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Table 7. Difference Between Optimal and Linear Distinguisher Explained 


Pair of S-boxes 

(1.2) 

(2,3) 

(3,4) 

(4,5) 

(5,6) 

(6,7) 

(7,8) 

(8,1) 

m 

1 

10 

8 

4 

2 

1 

1 

4 

log jH 

0 

3.3 

3 

2 

1 

0 

0 

2 

LP max 

2 s 

2 8.83 

2 10.83 

2 8.83 

2 8.83 

2 8 

2 6.83 

2 9.66 

Opt. Dist. A(T> e ) t = 6 

2 47 ' 9 

2 49.6 

2 62 

2 50.9 

2 51.9 

2 47 ' 9 

2 40.8 

2 55.9 

Best. Lin. Dist. LP^ ax t = 6 

2 48 

2 8S 

2 65 

2 83 

2 S3 

2 48 

2 41 

2 ss 

Expected value from (9) t = 6 

2 47 ' 9 

2 52.9 

2 65 

2 52.9 

2 52.9 

2 47 ’ 9 

2 40.8 

2 57.9 

Opt. Dist. A(T> 8 ) t = 8 

2 64 

2 67.3 

2 83.6 

2 68.6 

2 69.6 

2 64 

2 54.6 

2 78.3 

Best. Lin. Dist. LP^ ax t = 8 

2 64 

2 70.6 

2 86.6 

2 70.6 

2 70.6 

2 64 

2 54.6 

2 77 ’ 3 

Expected value from (9) 1 = 8 

2 64 

2 70.6 

2 86.6 

2 70.6 

2 70.6 

2 64 

2 54.6 

2 77 ’ 3 


4.3 Summary 

A consequence of the convolutions involved in Davies-Murphy cryptanalysis is 
that distributions become very quickly "smooth". Therefore the complexity of 
the optimal distinguisher can increase very quickly after several rounds, while 
the complexity of a linear distinguisher increases more regularly. 

Hence, using a linear distinguisher becomes almost optimal after several con- 
volutions. This explains the phenomenon that Biham observed in [2] and it 
also explains why we obtained good results in this paper, while restricting our 
analysis to linear distinguishes. This observation is independent of the initial 
distribution, so it would make no difference if used other S-boxes for instance. 
However, the linear characteristic used in our attack has some nice properties : 

— it is iterative 

— it uses only output bits of the round function 

— the same linear form is used at every round 

These properties allow us to concentrate on one half of the Feistel network, re- 
ducing the effective number of rounds to consider down from 16 to 8 (algorithmic 
tricks further reduce this number to 6). Therefore, although this linear charac- 
teristic is not the best one known for DES, its a particular form may be helpful 
to optimize the data analysis phase. 

5 Conclusion 

In this paper, we improve the famous Davies-Murphy cryptanalysis of DES, by 
using 6 round output distributions (instead of 7 or 8 like in previous papers on 
the topic [3,6]). Several trade-offs are possible, but we describe a key-recovery 
attack with complexity of 2 45 chosen plaintexts. This positions the attack at the 
second rank of cryptanalysis of DES : slightly better than Biham and Shamir’s 
differential cryptanalysis but slightly worse than Matsui’s linear cryptanalysis. 
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In addition, we have shown that using linear distinguishers for the Davies- 
Murphy cryptanalysis was almost an optimal choice, because of the particular 
structure of the attack. Therefore Davies-Murphy cryptanalysis is closely re- 
lated to a particular family of linear attacks, where the linear mask involves 
only the round output. This allows for efficient optimizations of the data col- 
lection and data analysis. At the same time, it shows that it is unlikely to 
(significantly) outperform Matsui’s attack with further algorithmic 
improvements. 
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A Detailed Steps of the Data Analysis Phase 

A.l Step 3 

In the step number 3, we guess the key bits involved in S$ at the first round. 
Luckily, 4 of these bits ( A 4 , K22, A28 , A3 9) are already known. Thanks to the key 
scheduling properties, only A3 7 and A54 need to be guessed. We know the plain- 
text bits involved in S5 (part of it are arbitrary constants, the rest is contained 
in the pattern of table T2). So we can predict A’s output and in particular the 
bit C/24. 2 plaintext bits are no longer needed and the new table T3 contains the 
number of occurrences of the 23-bit pattern formed by : 

— The bit X(p R ) © A(cb) 0 A(W) 

— The 12 bits ('P52, ■ ■ ■ , Pas) from the plaintext 

— The 9 bits (pi,P25, ■ ■ ■ , p.32) from the plaintext 

— The intermediate bit p 24 © t/24 


A.2 Step 4 

In the step number 4, we guess the key bits involved in Sq at the first round. 
Luckily, 3 of these bits (A23, A29, A53) are already known. Thanks to the key 
scheduling properties, only As , A30 and A 7 need to be guessed. We predict 
S 6 ’s output and in particular the bits C/27 and C/32. 4 plaintext bits are no longer 
needed and the new table T4 contains the number of occurrences of the 19-bit 
pattern formed by : 

- The bit A (p R ) © A (c R ) © X(W) 

- The 8 bits {pse, ■ ■ ■ , pea) from the plaintext 

- The 7 bits (pi,P 25 ,P 26 ,P 28 ,P 29 ,P 30 ,P 3 l) 

- The 3 intermediate bits (P24 © C/24, P27 © C/27, P32 © C/32) 


A.3 Step 5 

In the step number 5, we guess the key bits involved in S7 at the first round. 
Luckily, 2 of these bits (An , K^) are already known. Thanks to the key schedul- 
ing properties, only A 5 , A'20, Ass and An need to be guessed. We predict SV’s 
output and in particular the bit C/30. 4 plaintext bits are no longer needed and the 
new table T5 contains the number of occurrences of the 15-bit pattern formed by : 
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- The bit A (pjt) © A(cr) 0 A(W) 

- The 4 bits (peo, ■ ■ ■ -/Pas) from the plaintext 

- The 6 bits (pi,P 25 ,P 26 ,P 28 ,P 29 ,P 3 l) 

- The 4 intermediate bits (p24 © C/24; P27 © C/27, P30 © C/30 , P32 © C/32) 

A.4 Step 6 

In the step number 6, we guess the key bits involved in Sg at the first round. 
Hence we need to guess A 13 , K u , K 3 i, A45, K 55 and K e2 . Then we predict Sg’s 
output and in particular the bit t/25. 4 plaintext bits are no longer needed and 
the new table T% contains the number of occurrences of the 11 -bit pattern formed 
by : 

- The bit A (p fl ) © A(cr) © A(W) 

- The 5 bits (pi,P 26 ,P 28 ,P 29 ,P 3 l) 

- The 5 intermediate bits (p 2 4 © C/24, P25 © C/25, P27 © C/27, P30 © C/30, p 3 2 © U 32 ) 


A.5 Step 7 

In the step number 7 , we guess the missing input bits of S-box Sy at the second 
round. The actual input is 

(P24 © U24, ■ ■ ■ ,P 29 © C/29) © (A53, A13, A 30 , A55, A 6 , Ku ) 

Thanks to the key scheduling properties, we already know 4 of these key bits. 
Besides we already know 3 intermediate bits of the form p%@Ui. The missing 
Ui s are not known but they depend only on the key and the fixed plaintext bits, 
so their value is the same for all samples. So we can guess the 3 bits ( U 2 6 > U 2 g © 
Ag, U29® An) and predict SV’s output. Then, we determine V7 © Vi 2 © V22 © V32 . 
The new table T7 contains the number of occurrences of the 7 -bit pattern formed 
by: 


- The bit A (p R ) © A(cr) © \{W) © F 7 © V 12 © V 22 © F 32 

- The 4 bits (pi,P28,P29,P3i) 

- The 2 intermediate bits (p 3 0 © U 3 o,p 32 ffi C/32) 


A. 6 Step 8 

In the step number 8, we guess the missing input bits of S-box Sg at the 
second round. Thanks to the key scheduling properties, all key bits involved 
(A 5 , Kg, K 23 , A37, A47 and A54) are already known. Hence we just need to guess 
the 4 missing input bits : Ui, C/28 , C/29, C/31, in order to predict S'g’s output and 
in particular V5 © V21 © V27. Hence we know the value of A(F). The new table 
Tg contains the number of occurrences of the bit : 

- The bit A (p R ) © A (c R ) © A(IF) ffi A(F) 
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Abstract. KASUMI is an 8-round Feistel block cipher used in the con- 
fidentiality and the integrity algorithms of the 3GPP mobile communi- 
cations. As more and more 3GPP networks are being deployed, more 
and more users use KASUMI to protect their privacy. Previously known 
attacks on KASUMI can break up to 6 out of the 8 rounds faster than 
exhaustive key search, and no attacks on the full KASUMI have been 
published. 

In this paper we apply the recently introduced related-key boomerang 
and rectangle attacks to KASUMI, resulting in an attack that is faster 
than exhaustive search against the full cipher. We also present a related- 
key boomerang distinguisher for 6-round KASUMI using only 768 adap- 
tively chosen plaintexts and ciphertexts encrypted or decrypted under 
four related keys. 

Recently, it was shown that the security of the entire encryption sys- 
tem of the 3GPP networks cannot be proven using only the “ordinary” 
assumption that the underlying cipher (KASUMI) is a Pseudo-Random 
Permutation. It was also shown that if we assume that KASUMI is also 
secure with respect to differential-based related-key attacks then the se- 
curity of the entire system can be proven. Our results show that theoret- 
ically, KASUMI is not secure with respect to differential-based related- 
key attacks, and thus, the security of the entire encryption system of the 
3GPP cannot be proven at this time. 


1 Introduction 

KASUMI [31] is a 64-bit block cipher used in the confidentiality and the in- 
tegrity algorithms of the 3GPP mobile communications. KASUMI was devel- 
oped through the collaborative efforts of the 3GPP organizational partners. It 
is a slight modification of the known block cipher MISTY1 [27], optimized for 
implementation in hardware. 
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gramme. 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 443-461, 2005. 

© International Association for Cryptologic Research 2005 



444 


E. Biham, O. Dunkelman, and N. Keller 


The security of the entire 3GPP mobile network relies on the security of the 
underlying block cipher KASUMI. Initial examination of the modes of operation 
used in the 3GPP networks showed that if KASUMI is a Pseudo-Random Per- 
mutation (PRP), then the entire network is provably secure [20,16]. However, 
it appeared that the proof was incorrect [17]. Moreover, it was shown that as- 
suming only that the underlying cipher is a PRP, the security of the modes of 
operation cannot be proven [17]. In [18], Iwata and Kohno showed that if KA- 
SUMI is a PRP and is also secure with respect to differential-based related-key 
attacks, then the modes in which KASUMI is used can be proven secure. This 
result shows that the strength of KASUMI with respect to related-key attacks 
is crucial to the security of the entire mobile network. 

KASUMI accepts 128-bit keys and consists of eight Feistel rounds. Previous 
results on KASUMI include an impossible differential attack on a 6-round version 
of the cipher presented by Kuhn [25] and a related-key differential attack on a 
6-round version of the cipher presented by Blunden and Escott [12]. There are 
no known attacks applicable to the full 8-round KASUMI. 

In this paper we apply the recently introduced related-key boomerang and 
rectangle attacks to the full 8-round KASUMI and to reduced-round versions of 
the cipher. 

The boomerang attack [33] is an adaptive chosen plaintext and ciphertext 
attack built over differential cryptanalysis [9]. The cipher is treated as a cascade 
of two sub-ciphers, and a short differential is used in each of these two sub- 
ciphers. These two differentials are combined in an elegant way to suggest some 
property of the entire cipher with high probability that can be detected using 
adaptive chosen plaintext and ciphertext queries. 

The boomerang attack was further developed in [21] into a chosen plaintext 
attack called the amplified boomerang attack. The transformation uses birthday 
paradox techniques to eliminate the adaptive nature of the attack by encrypt- 
ing large sets of plaintexts. After the encryption of the plaintexts, the attacker 
searches for quartets of plaintexts that behave as if they were constructed in 
the boomerang process. The transformation to a chosen plaintext attack (in- 
stead of an adaptive chosen plaintexts and ciphertexts attack) has price both 
in a much larger data complexity, and in a much more complicated algorithm 
for the identification of the right quartets. After its introduction, the amplified 
boomerang attack was further developed into the rectangle attack [6]. The rect- 
angle attack utilizes a more careful analysis that shows that the probability of a 
right quartet is significantly higher than suggested by the amplified boomerang 
attack. Also an optimized algorithm for finding and identifying the right quartets 
was given in [7]. The boomerang and the rectangle attacks were used to attack 
several reduced-round versions of block ciphers, including the AES, Serpent, 
SHACAL-1, COCONUT98 (the full cipher), SC2000, Khufu and FEAL. 

Related-key attacks were introduced by Biham [2] in 1993. This technique 
assumes that the attacker is able to request the encryptions of plaintexts un- 
der two related keys: an unknown key and a key (also unknown) that is re- 
lated to it in some known way. Under this assumption, the attacker uses the 
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relations between the keys and various weaknesses of the cipher to derive infor- 
mation about the two keys. In [2] a related-key attack was applied to a mod- 
ified variant of DES [28], to LOKI [13] and to Lucifer [29]. In [22] Kelsey et 
al. combined the related-key technique with differential cryptanalysis [9] . In the 
related-key differential attack, the attacker requests the encryption of pairs of 
plaintexts with some chosen difference under the unknown key and under a re- 
lated key such that the difference between the keys is chosen by the attacker. 
Related-key differential attacks were used to attack several full/reduced versions 
of block ciphers, including AES [14], KASUMI [31], and others (see the attacks 
of [19,12,22]). 

The related-key boomerang and rectangle attacks were presented by Kim 
et al. [23,24] and independently by Biham et al. [8]. These attacks are a com- 
bination of the boomerang/rectangle technique with the related-key differen- 
tial technique. In the attack, the attacker examines quartets of plaintexts en- 
crypted under four differentially related keys. The key differences are used to 
improve the two differentials used for the boomerang (or the rectangle) dis- 
tinguisher. Related-key boomerang and rectangle attacks were used to attack 
reduced versions of AES [14], IDEA [26] and SHACAL-1 [15] and the full CO- 
CONUT98 [32]. 

In this paper we present a key recovery related-key rectangle attack on the 
entire 8-round version of KASUMI. The attack requires 2 54 ' 6 chosen plaintexts 
encrypted under four related keys and has time complexity of 2 76 - 1 encryptions. 
We also present a related-key boomerang distinguisher of 6-round KASUMI. The 
distinguisher requires 768 adaptive chosen plaintexts and ciphertexts encrypted 
under four related keys and has a negligible time complexity. We summarize our 
results along with previously known results on KASUMI in Table l. 1 

Our results do not practically compromise the security of the 3GPP mobile 
networks. However, our results show that KASUMI cannot be considered secure 
against differential-based related-key attacks. Therefore, the security of the entire 
mobile network cannot be proven at this stage. 

This paper is organized as follows: In Section 2 we give a brief description of 
the structure of KASUMI. In Section 3 we describe the related-key boomerang 
and rectangle attacks. In Section 4 we present a related-key rectangle attack on 
the full KASUMI. Section 5 contains a related-key boomerang distinguisher of 
6-round KASUMI. Finally, Section 6 summarizes the paper. 


1 We note that several generic attacks that apply to any block cipher with 64-bit block 
and 128-bit keys, such as exhaustive key search, key-collision, and time-memory-data 
tradeoffs, may be used to attack the cipher. For example, a key-collision attack on 
this cipher has time complexity of 2 64 encryptions using 2 64 known plaintexts, each 
encrypted under a different key [3] . For time-memory-data tradeoff attacks using four 
different keys as in our attack, the overall time complexity (including preprocessing) 
is very close to the time complexity of an exhaustive key search. A time-memory-data 
tradeoff attack using a fixed known plaintext encrypted under a large number of 2 43 
keys can be performed with on-line computation of 2 84 encryptions and preprocessing 
of 2 85 encryptions [11]. 
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Table 1. Summary of the Attacks on KASUMI 


Attack 

Number of 
Rounds Keys 

Complexity 

Data 

Time 

Source 

Higher-Order Differential 

4+ 

1 

2 1U E> CP 

2 rrn ~ 

[30] 

Related-Key Differential 

6 

1 

2 18 ' 6 RK-CP 

2 U3- 6 

[12] 

Impossible Differential 

6 

1 

2 S5 cp 

2 100 

[25] 

Related-Key Boomerang Distinguisher 

6 

4 

768 RK-ACPC 

1 

Section 5.2 

Related-Key Boomerang Key Recovery 

6 

34 

2 13 RK-ACPC 

2 13 

Section 5.3 

Basic Related-Key Rectangle 

8 

4 

2 53 RK-CP 

2 102 

Section 4.2 

Improved Related-Key Rectangle 

8 

4 

2 54 ' 6 RK-CP 

2 76 1 

Section 4.4 

Related-Key Boomerang 

8 

4 

2 45 ' 2 RK-ACPC 2 78 ' 7 

Section 4.4 


RK - Related-key, CP - Chosen plaintext, ACPC - Adaptive chosen plaintext and ciphertext 
Time complexity is measured in encryption units, 
t - this attack is on a version of the cipher without the FL functions. 

2 The KASUMI Cipher 


KASUMI [31] is a 64-bit block cipher that has a key size of 128 bits. KASUMI 
was designed as a modification of MISTY1 [27], optimized for implementation 
in hardware. Therefore, most of the components of KASUMI are similar to the 
respective components of MISTY1. 

KASUMI has a recursive structure. Each of its eight Feistel rounds is com- 
posed of an FO function which is a 3-round 32-bit Feistel construction, and of 
an FL function that mixes a 32-bit subkey with the data. The order of the two 
functions changes each round (in odd rounds the FL function is first, and in the 
even rounds the FO function is first). 

The FO function also has a recursive structure. Each of the three rounds of 
the FO functions consists of a key mixing stage and of an application of the FI 
function, yet another three-round Feistel construction. The FI functions use two 
non-linear S-boxes S 7 and S9 (where S7 is a 7-bit to 7-bit permutation and S9 
is a 9-bit to 9-bit permutation) and accept an additional 16-bit subkey, which is 
mixed with the data. In total, a 96-bit subkey enters FO in each round — 48 
subkey bits used in the FI functions and 48 subkey bits in the key mixing stages. 

Table 2. KASUMI’s Key Schedule Algorithm 


Round KLi,i KI ,:2 KOi,i KO ,.2 


2 

3 

4 

5 

6 

7 

8 

A«<* 


1 K' 3 

1 K' 4 

i k' s 

1 K's 
1 K' 7 

1 Kg 

1 K[ 
1 Kj 


K 2 <^. 5 
lf3 «< 5 

^ «< 5 
K 6 <SC 5 
K 7 <g; 5 
K a <g; 5 
K\ <gg 5 


K 6 <SC 8 
K 7 <=£ 8 
K s «8 
Ki <gc 8 

K 2 <^. 8 
H 3 <«8 
K 4 <=£ 8 
K 5 8 


K 5 <i 
Ke, <3 


— X rotated to the left by i bits 


KOi, 3 
K 7 ^ 13 
K a <g; 13 
Ki <g; 13 
K 2 13 

K 3 « 13 
K 4 <§; 13 
K 5 <=£ 13 
K 6 13 


Kh, 1 
K' s 
K'e 
K 7 
K' s 
K{ 
Ki 
K'z 
K' a 


KL, 2 Kh, 3 

K K' s 

K'e K[ 

K'e Ki 

K ’ 7 Ki 

K'g K ' 4 

Ki Ki 

K ' 2 Ki 

Kj Ki 
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bitwise AND 
U 

bitwise OR 

«< 

rotate left by one bit 


Fig. 1. Outline of KASUMI 


The FL function accepts 32-bit input and two 16-bit subkey words. One 
subkey word affects the data using the OR operation, while the second one 
affects the data using the AND operation. We outline the structure of KASUMI 
and its parts in Figure 1. 

One of the major differences between KASUMI and MISTY1 is in the key 
schedule. In KASUMI, the subkeys are derived from the key in a linear way: The 
128-bit key K is divided into eight 16-bit words: K\, K 2 , ■ . . , Kg. Each K, is used 
to compute K' = A'; © Ci, where the Cj’s are known and fixed constants. The 
constants Ci are interleaved with the key bits in order to avoid weak-key classes 
based on fixing key bits to be zero. Such weak keys were found in IDEA [26] (see 
for example [10]) and in other ciphers as well. 
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Table 3. KASUMI’s Key Schedule Constants 


Round 1 2 3 4 5 6 7 8 

Constant Ci C2 C3 C4 ( '5 ( 7 C7 Cs 

Value 0123a; 4567,, 89 AB X CDEF, : FEDC X BA98 X 7654,, 3210 a 


In each round, eight words are used as the round subkey (up to some in-word 
rotations). Therefore, the 128-bit subkey of each round is a linearly dependent of 
the secret key in a very simple way. We give the exact key schedule of KASUMI 
in Table 2 and list the values of the constants in Table 3. 

3 Related-Key Boomerang and Related-Key Rectangle 
Attacks 

In this section we describe the related-key boomerang and related-key rectangle 
attacks. First, we outline the boomerang/rectangle attacks and the related-key 
differential attacks separately. Then, we describe the combination that forms the 
related-key boomerang and related-key rectangle attacks. 


3.1 The Boomerang and the Rectangle Attacks 

The main idea behind the boomerang attack [33] is to use two short differentials 
with high probabilities instead of one long differential with a low probability. 
We assume that a block cipher E : (0, 1}” x {0, l} k — > (0, 1}" can be described 
as a cascade E = Ei o E 0 , such that for E 0 there exists a differential a — » 0 
with probability p, and for E\ there exists a differential 7 — > 6 with probabil- 
ity q. We note that the second differential 7 — ► 6 for E% is actually used in 
the backward direction, i.e., decryption, but as we are dealing with differentials 
(and not truncated differentials), then this does not change the probability of 
the differential. 

The distinguisher is based on the following boomerang process: 

- Ask for the encryption of a pair of plaintexts (Pi, P 2 ) such that Pi ® P 2 = a 
and denote the corresponding ciphertexts by '{C\,C 2 ). 

- Calculate C 3 = Ci ® S and C 4 = C 2 ® 5, and ask for the decryption of the 
pair (C 3 .C 4 ). Denote the corresponding plaintexts by (Pi, P 4 ). 

- Check whether P 3 © P 4 = a. 

The boomerang attack uses the first characteristic ( a — > 0) for Eq with respect 
to the pairs (Pi, P 2 ) and (P 3 , P 4 ), and uses the second characteristic (7 — » S) for 
E 1 with respect to the pairs (Ci, C 3 ) and (C' 2 ,C , 4 ). 

For a random permutation the probability that the last condition is satisfied 
is 2~ n . For E, the probability that the pair (Pi, P 2 ) is a right pair with respect to 
the first differential ( a — * 0) is p. The probability that both pairs (C\ , C 3 ) and 
(C 2 ,Ci) are right pairs with respect to the second differential is q 2 . If all these 
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are right pairs, then Efi 1 (C , 3 ) ® jSj' 1 (Cfi) = (3 = E 0 (P 3 ) ® E 0 (Pfi). Thus, with 
probability p, P 3 ® P 4 = a. The total probability of this quartet of plaintexts 
and ciphertexts to satisfy the boomerang conditions is ( pq ) 2 . 

The attack can be mounted for all possible /?’ s and 7’s simultaneously (as 
long as /? ^ 7). Therefore, a right quartet for E is encountered with probability 
no less than (pq) 2 , where: 


p= y/^Pr 2 [a^/3], and q = ^j^Pr 2 ^ ^ 6 ]. 

The complete analysis is given in [33,6,7]. 

As the boomerang attack requires adaptive chosen plaintexts and cipher- 
texts, many of the techniques that were developed for using distinguishers in 
key recovery attacks cannot be applied. This led to the introduction of cho- 
sen plaintext variants of the boomerang attack called the amplified boomerang 
attack [21] and the rectangle attack [6]. The transformation of the boomerang 
attack into a chosen plaintext attack is quite standard, as it can be achieved 
by birthday-paradox arguments. The key idea behind the transformation is to 
encrypt many plaintext pairs with input difference a, and to look for quartets 
that conform to the requirements of the boomerang process. 

Given the same decomposition of E as before, and the same basic differentials, 
the analysis in [6] shows that out of N plaintext pairs, the number of right 
quartets is expected to be N 2 2~ n p 2 q 2 . We note, that the main reduction in 
the probability follows from the fact that unlike the boomerang attack, in the 
rectangle attack the event E 0 (Pi) ® E 0 (P 3 ) = 7 occurs with probability 2~ n . 


3.2 Related-Key Differentials 

Related-key differentials [22] were used for cryptanalysis several times in the 
past. Recall, that a regular differential deals with some plaintext difference AP 
and a ciphertext difference AC such that 

Pr p ,k[E k (P) © E k (P © AP) = AC\ 
is high enough (or zero [5]). 

A related-key differential is a triplet of a plaintext difference AP, a ciphertext 
difference AC, and a key difference AK, such that 

Pr p,k[Ek(P) © E k ® ak (P © AP) = AC\ 
is useful (high enough or zero). 


3.3 Related-Key Boomerang Attacks 

Let us assume that we have a related-key differential a — > of E 0 under a key 
difference AK a b with probability p. Assume also that we have another related- 
key differential 7 — ► 6 for E\ under a key difference AK ac with probability q. 
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Fig. 2. A Related-Key Boomerang Quartet 


The related-key boomerang process involves four different unknown (but re- 
lated) keys — K a , K h = K a ® AK ab , K c = K a CD AK ac , and K d = K a © AK ab ® 
AK ac . The attack is performed by the following algorithm: 

- Choose a plaintext P a at random, and compute P b = P a © a. 

- Ask for the ciphertexts C a = E Ka (P a ) and C b = E Kb (P b )- 

- Compute C c = C a ® 5 and C d = C b ® 5. 

- Ask for the plaintexts P c = E^(C c ) and P,i = E^JCd). 

- Check whether P c ® P d = a. 

See Figure 2 for an outline of such a quartet. 

It is easy to see that for a random permutation, the probability that the last 
condition is satisfied is 2~ n . For E the probability that this condition is satisfied 
is p 2 q 2 . Hence, the related-key boomerang attack can be used for distinguishing 
and key recovery attacks for this cipher. 

The attack can use many differentials for Eq and E\ simultaneously (just like 
in a regular boomerang attack), as long as all related-key differentials used in E 0 
have the same key difference AK ab and the same input difference a, and that all 
related-key differentials used in Ei have the same key difference AK ac and the same 
output difference 5. Thus, the probability of a quartet to be a right one is p 2 q 2 . 

In the case of KASUMI, the key schedule algorithm is linear. Therefore, given 
a key difference, all subkey differences are known, and can be easily used in the 
related-key model. 

3.4 Related-Key Rectangle Attack 

The transformation of the related-key boomerang attack into a related-key rect- 
angle attack is similar to the transformation of the boomerang attack to the 
rectangle attack. The related-key rectangle distinguisher is as follows: 
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— Choose N plaintext pairs ( P a ,Pb = P a ® ot) at random and ask for the 
encryption of P a under K a and of P b under K b . Denote the set of these pairs 
by S. 

— Choose N plaintext pairs ( P c ,Pd = P c ® a) at random and ask for the 
encryption of P c under K c and P,i under K r j. Denote the set of these pairs 
byT. 

— Search a pair of plaintexts (P a . P b ) e S and a pair of plaintexts (P c . P,i) € 
T, and their corresponding ciphertexts (C a ,Cf,) and {C c , C,i), respectively, 
satisfying: 

• P a © P b = P c © P d = a 

• C a ®C c = C b ®G d = S 

The analysis of the related-key rectangle attack is similar to the one of the 
rectangle attack (with the same modifications that were presented at the related- 
key boomerang attack). Starting with N plaintext pairs in S and N plaintext 
pairs in T, we expect to find N 2 2~ n (pq) 2 right quartets. For a random permuta- 
tion the number of “right quartets” is about N 2 2~ 2n , so as long as pq > 2 _n / 2 
we can use the rectangle attack to distinguish between a random permutation 
and the attacked cipher. This distinguisher can be later used for a key recovery 
attack. 

4 Related-Key Rectangle Attack on KASUMI 

In this section we devise a related-key rectangle attack on the entire KASUMI. 
We start with a short description of the related-key differentials used in this 
attack, then describe a basic attack without full optimization, and its analysis. 
Finally, we describe the optimizations that reduce the complexities to our final 
results. 


4.1 Related-Key Differentials of KASUMI 

As mentioned earlier, KASUMI’s round function is composed of two main func- 
tions: the FO function and the FL function. A non-zero input difference to the 
FO function can become almost any output difference, with approximately the 
same probability. However, non-zero differences to the FL-function propagate 
with much higher probabilities. 

For the rectangle attack we use two related-key differentials. The first related- 
key differential is for rounds 1-4, while the second is used in rounds 5-7. 


4.1.1 A 4-Round Related-Key Differential for Rounds 1-4 This 4- 
round related-key differential is an extension by one round of the related-key 
differential presented in [12]. The key difference is AK a b = (0,0, 1,0, 0,0, 0,0), 
i.e., only the third key word has a non-zero difference K' 3 = 0001a,. The plain- 
text difference of the differential is a = (0a,,0020 0000a,). It was shown in [12] 
that with probability 1/4, the difference after three rounds is equal to a as 
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well. The input difference of the FO function in the fourth round is non-zero 
(0020 0000. x ) . The key difference of the fourth round is introduced only at the 
end of the FO function (precisely, in F/4 3). Hence, the non-zero difference 
propagates through all the parts of FO, and the output difference of the round 
function is distributed almost uniformly. Therefore, we shall use the differentials 
a = (0 X , 0020 0000 x ) — > ( y , 0020 0000 x ) for all the possible values of y. In the 
worst case, all the y values are equiprobable. Thus, when using all the 2 32 possi- 
ble values, each of them is expected to occur with probability 2 -32 . Hence, each 
differential of the form a = (0^,0020 0000 x ) — ► (y, 0020 0000 x ) has probability 
2 -34 . The effective probability of the differentials when using all these differen- 
tials simultaneously is p = \J2 32 ■ (2 -34 ) 2 = v / 2~ 3 ® = 2 -18 . If the y values are 
not equiprobable, then the value of p is higher. 

As observed in [12], the attacker can select two bits of the plaintext in order 
to double the probability of the differential: The attacker assigns one bit of the 
plaintext to be one (thus fixing one bit of the output of the OR operation in 
FIT) and one bit of the plaintext to be zero (thus fixing one bit of the output 
of the AND operation in FIT). More precisely, let F = (Pll, Plr, Prl, Prr), 
where Pll is the 16 plaintext bits that enter the AND operation of the FL 
function in the first round, and Plr are the remaining bits of the left half of the 
plaintext. The attacker sets the least significant bit of Pll and the second least 
significant bit of Plr to P RL = 0 and Pj R = 1 , where the superscript x € ( 0 , 1 } 
denotes the Fth bit of that quarter of the plaintext. This selection ensures 
that the characteristic holds with probability 1 in the first round (instead of 
1/2), despite of the key difference. Therefore, the probability of the differential 
a = (0 X ,0020 0000 x ) — > (y,0020 0000 x ) is increased from 2 -34 to 2 -33 , and 
the effective probability of the first part of the rectangle is increased to p = 
^232 • (2-33)2 = y^ 334 = 2 -17 . 

It is possible to rotate all the words of the key difference AK ab and the 
characteristic by the same number of bits, without changing the probability of 
the characteristic. Hence, the above characteristic can be replaced by 15 other 
characteristics. 


4.1.2 A 3-Round Related-Key Differential for Rounds 5-7 

The 3-round related-key differential used in rounds 5-7 is the 3-round differential 
of [12] shifted by four rounds. The key difference is AK ac = (0,0, 0,0, 0,0, 1,0). 
Again, it is possible to rotate the difference in K' 7 and the corresponding values 
in the characteristic, to obtain a new characteristic with the same probability. 

The differential is 7 = (0 X ,0020 0000 x ) -f (0 X ,0020 0000 x ) = <5 with proba- 
bility q = q = 1/4. 


4.2 The Basic Related-Key Rectangle Attack on KASUMI 

The attack on KASUMI treats the cipher as a cascade of three parts: F 0 consists 
of the first four rounds, Ei consists of rounds 5-7, and Ef the round after the 
distinguisher (round 8), which is used for analysis. Let K a , K b = K a CD AK ah , 
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K c = K a © AK ac , and K d = K c © AK a b be the unknown related keys that we 
want to retrieve. 

For E 0 we use the 4-round differential with p = 2~ 17 presented earlier, whose 
key difference is AK a b = (0,0, 1,0, 0,0, 0,0) and whose input difference is a = 
(Os, 0020 0000a,). For E\ we use the 3-round differential with q = 2~ 2 presented 
earlier, whose key difference is AK ac = (0,0, 0,0, 0,1, 0,0) and whose output 
difference is S = (0a;,0020 0000a;). 

If we encrypt N = 2 51 pairs of plaintexts under K a and Kb, and the same 
number of pairs under K c and K d , we expect to find N 2 = 2 102 quartets, of 
which about N 2 ■ 2~ 64 ■ 2~ 34 ■ 2~ 4 = 2 102 • 2 -102 = 1 are right rectangle quartets. 

In the attack we identify the right quartets out of all possible quartets, and 
then analyze them to retrieve the subkey of round 8. This analysis is performed 
in the following way: 

1. Data Collection Phase: 

(a) Ask for the encryption of 2 51 pairs of plaintexts ( P a ,Pb ), where Pf, = 
P a © a, P„ LL = 0, and P„ LR = 1, and where P a is encrypted under K„ 
and Pb is encrypted under Kb- Insert each pair into a hash table indexed 
by the 64-bit value of ( C rlRL , C aRR , C'b RL , C'b RR ) . 

(b) Ask for the encryption of 2 51 pairs of plaintexts (P c , P d ), where P d = P c © 
a, P° LL = 0, and P} LR = 1, and where P c is encrypted under K c and P d 
is encrypted under K d . For each pair, access the hash table in the entry 
corresponding to the value (C CRL © 002(1,;, C CRR ,C drtL © 002(1,;, C dRR ). 
For each pair ( P a , p,) found in this entry, apply Step 2 on the quartet 

(■ P a ,Pb,P c ,Pd )• 

The (2 51 ) 2 possible quartets are filtered according to a condition on 64 bits 
on the difference of the ciphertexts, leading to about 2 38 quartets that enter 
Step 2. In the following step, we treat all remaining quartets as right quartets. 
The analysis of a quartet is done by guessing 32 bits of the key (K0 8 ,i,KI 8t i), 
and trying to deduce KL 8i 2 - In most cases there is a contradiction, e.g., one of 
the pairs suggests something which is impossible, or the two pairs disagree on 
some key bit. 

2. Analyzing Quartets: 

(a) For each quartet (C a ,Cb,C c ,Cd), guess the 32-bit value of K0 8 , i and 
KI 8t i. Assume that this is a right quartet. For the two pairs (C a , C c ) 
and (Cb,Cd) use the value of the guessed key to compute the input 
and output differences of the OR operation in the last round of both 
pairs. For each bit of this 16-bit OR operation of FL8, the possible 
values of the corresponding bit of KL 8t 2 are given in Table 4. On average 
(8/16) 16 = 2 -16 values of KL 8 - 2 are suggested by each quartet and guess 
of KOs , i and KI 8 ^. 

(b) For each quartet and values of KOs,i,KI 8 ,i and ALg .2 suggested in 
Step 2(a), guess the 32-bit value of AOs , 3 and KI 8t3 , and use this infor- 
mation to compute the input and output differences of the AND opera- 
tion in both pairs. For each bit of the 16-bit AND operation of FL8, the 



454 E. Biham, O. Dunkelman, and N. Keller 


Table 4. Possible Values of KL 8 ,2 and KLs,i 
OR — KL 8 , 2 AND — KL a ,i 


{X'uYi) 

(*2 ,Yi) 

(0,0) (0,1) (1,0) (1,1) 

(0,0) 

(0,1) 

(1,0) 

(1,1) 

{0,1} - 0 1 

0 — 0 - 

1 — — 1 


8M) 

(*2 t Yi) 

(0,0) (0,1) (1,0) (1,1) 

(0,0) 

{0,1} 1 o 

(0,1) 

— — — — 

(1,0) 

1 — 1 - 

(1,1) 

0 — — 0 


* The two bits of the differences are denotes by (input difference, output difference): 
(X[,Y{) for one pair and (X 2r Y 2 ) for the other. 

possible values of the corresponding bit of KL 8t i are given in Table 4. On 
average (8/16) 16 = 2 -16 values of KL 8t i are suggested by each quartet 
and guess of K0 8 ,i, A Os, 3, and KI 8 ,3 and the computed value of 

KL 8t2 . 

3. Finding the Right Key: For each quartet and value of KOg,i,KIg t i, 

K0 8 ,3, K7g,3 and the value of KL 8 ,i and KL 8t2 suggested in Step 2, guess 

the remaining 32 bits of the key, and perform a trial encryption. 

4.3 Analysis of the Attack 

We first analyze Step 2(a), and show that given the input and output differences 
of the OR operation in the two pairs of the quartet, the expected number of 
suggestions for the key KL 8j2 is 2 -16 . This means that the 2 38 • 2 32 = 2 70 
(quartet, subkey guesses) tuples suggest 2 70 • 2“ 16 = 2 54 subkey guesses for 
48-bit value. 

Let us examine a difference in some bit j. There are four combinations of 
input difference and output difference for this bit for each pair. Table 4 lists the 
key bits that the two pairs suggest for the respective key bit. 

There are nine entries that contain no value. For example, a difference 0 
may never cause a difference 1 by any function. Another possible contradiction 
happens when one pair suggests that the key bit is 0, while the second pair 
suggests that the key bit is 1. The total number of possible key bits is 8 out of 
16 entries. Thus, on average there is 1/2 a possibility for each bit. In total, for 
the 16 bits there are (1/2) 16 = 2 -16 possibilities on average. A similar analysis 
can be applied to Step 2(b). 

As noted earlier, the expected number of (quartet, subkey guesses) tuples 
that enter Step 2(b) is 2 54 . For each of these tuples, we guess 32 additional 
bits, resulting in 2 54 • 2 32 = 2 86 (quartet, subkey guesses) tuples. As step 2(b) is 
similar to Step 2(a), then after its execution, the expected number of (quartet, 
subkey guesses) tuples is 2 86 • 2 -16 = 2 70 , while the guessed subkey has 96 bits 
in total. 

Step 2(a) can be implemented using only a few logical operations. The test 
whether a pair suggests a contradiction (a zero difference in the input with 
corresponding non-zero difference in the output) can be performed as follows: Let 
X' be the word of input differences and let Y' be the word of output differences. 
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Compute Z = X' AY' , where X' is the bitwise complement of X' . If Z is non- 
zero then there is some bit in X' which is zero, while the corresponding bit in 
Y' is 1. Thus, we can check using two logical operation whether one of the pairs 
suggests a contradiction of this kind. 

We can also find which bits of the key a key suggests. For the OR operation, 
the bits that a pair suggests is the bits for which X' has 1, and the value of 
RI/ 8,2 in these bits is the same as in Y' . To check whether the two pairs suggest 
contradicting values for the key, it suffices to check whether {X[ A X! 2 ) A (Y{ ® 
y 2 ') ^ 0. A similar method can be used on Step 2(b) (after updating the relevant 
expression to take into consideration the AND operation) . Further optimizations 
of the generation of the list of possible values of KL 8 ,2 and KL 8 ,i can be made 
using table lookups. 

Step 3 goes over all 2 70 suggestions for the 96 bits of the key, and tries 
to complete the remaining 32 bits by an exhaustive search. This can easily be 
performed due to the linear key schedule of KASUMI. The time complexity of 
this step is 2 102 trial encryptions. 

As the complexity of Step 3 is dominant, the total complexity of this attack is 
2 102 trial encryptions. This complexity is further reduced in the next subsection. 


4.4 Improvements of the Attack 

Step 3 can be improved by using counting techniques. In case we encrypt three 
times the data (2 52 6 plaintexts encrypted under four different keys), we expect 
to have nine right quartets. Instead of completing the missing key bits by an 
exhaustive key search, we count how many (quartet, subkey guesses) tuples 
suggest each value of the 96 bits of KOg t i, Kh,i’ ^08,3 » KI 8t3 , KL 8 ,i and 
KL &t 2 - Only few possible wrong key values are expected to get more than five 
suggestions. On the other hand, the right key has probability 88.4% to have at 
least this number of suggestions. Therefore, we identify which 96-bit values have 
more than five suggestions, and exhaustively search over the remaining bits of 
these cases. The time complexity of this attack is dominated by Step 2(b). The 
data complexity of the attack is 2 54 6 related-key chosen plaintexts and the time 
complexity of the attack is equivalent to 2 86 2 full KASUMI encryptions. 

Another improvement of the attack is based on the observation that Step 2(b) 
can be implemented in two substeps. In the first one, we guess KOg t3 and the 
9 bits of K/ 8 , 3 , 2 , and find the value of only 9 bits of KLg\. Hence, we generate 
9 • 2 54 • 2 25 = 2 82 - 2 (quartet, subkey guesses) where the subkey guess is of 73 
bits. As this improvement first deals only with 9 bits of KLg^, the expected 
number of remaining (quartet, subkey guesses) values is 2 73 2 . Then, we perform 
the second substep on the 7 remaining bits of Klggi and of KLg i. The time 
complexity of the attack is now dominated by the first substep of Step 2(b), 
whose complexity is equivalent to about 2 79 2 KASUMI encryptions. 

Our last improvement uses the fact that Step 2(b) (and even its first sub- 
step) partially depends on Step 2(a). After Step 2(a) there are 2 54 tuples of the 
form (quartet, subkey guesses), where the subkey guess is of 48 bits. However, 
Step 2(b) uses only 32 bits of the guessed subkey, i.e., the value of KOg.i and 
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KI 8t i. As mentioned earlier, a given quartet suggests about 2 16 values for the 48 
bits of KOs,i, KI 8 ,i,KL 8t 2 - However, it suggests about 2 12 9 values for 32 bits 
of K0 8 ,i,KI 8<1 . 

This observation is used to reduce the complexity of the attack: The purpose 
of Step 2(a) is now to find the list of about 2 12 9 values for KOs,i , KI 8 l that 
a quartet suggests, and then Step 2(b) finds the list of about 2 12 9 values for 
KOs, 3 , KI 8>3 . Only then, in Step 3, we take into consideration the possible values 
of KL 8 ,i and A'Lg. 2 - This reduces the time complexity of the attack to 2 76 1 
KASUMI encryptions. 

The attack can also be transformed into a related-key boomerang attack that 
requires 2 43 2 adaptive chosen plaintexts and ciphertexts (encrypted under four 
different keys). The attack is performed starting at the decryption direction, and 
thus it is a chosen ciphertext attack with adaptively chosen plaintexts. The time 
complexity of this related-key boomerang attack is 2 78 ' 1 encryptions. 

5 The Related-Key Boomerang Attack on 6-Round 
KASUMI 

In this section we present a related-key boomerang attack on 6-round KASUMI. 
The attack is on the first six rounds (rounds 1-6). It finds 16 bits of the key 
using only 768 adaptive chosen plaintexts and ciphertexts. 


5.1 Another 3-Round Differential of KASUMI 

In this subsection we present four related-key conditional characteristics [1] for 
rounds 4-6 of KASUMI. We describe the conditional characteristics in the back- 
ward direction as this is the direction in which we use them. These characteristics 
can be easily adapted to hold for any three consecutive rounds starting with an 
even round, either in the forward or in the backward direction. 

The key difference of all these conditional characteristics is AK ac = 
(0, 0, 0, 0, 0, 1, 0, 0). Unlike regular characteristics, conditional characteristics de- 
pend on the value of some key bit. The four conditional characteristics we use 
depend on the same key bit. Two of them assume that the value of this key bit 
is 0, while the two other assume that the value is 1. Let <5o = (0020 0000 x , 0 X ), 
<5i = (0020 0040 x , 0 X ), and S' = (0001 0000 x , 0 X ). The two conditional char- 
acteristics that depend on the value zero are <5o — > So and <5o ® S' —> So- The 
two conditional characteristics that depend on the value one are <5i — > <5i and 
0 S' —> Si (the index of the subscript of 5 denotes the value of the key bit). 
All these conditional characteristics have probability 1 /4. 

Given a pair with a ciphertext difference of the conditional characteristic, 
then during the decryption the zero input difference is preserved in round 6 
by the F06, and with probability 1/2 it is also the output difference of FL6 
(there is a subkey difference in one bit that is canceled with probability 1/2). 
In round 5, we hope to achieve a difference of 0020 0000 x after FL5, which 
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is then canceled with the key difference in KO 5^. This is where the condi- 
tional property of the characteristics is used. In order to achieve the desired 
output difference of FL5, the conditional characteristic depends on the value 
of the key bit that is ANDed in FL5. There is an active bit in the data, and 
if the value of the key bit is 1, then this difference is preserved. Otherwise, if 
the value is 0, then the AND operation has a zero output difference. Thus, for 
a given value of this key bit, exactly two out of the four characteristics yield 
a difference 0020 000 0 X after FL5 (this part of the conditional characteristic 
has probability 1), whereas for the other two characteristics this difference is 
impossible. Therefore, in our attack we use all four characteristics in parallel, 
and know that two of them pass round 5 with a zero output difference with 
probability 1. 

In round 4, the zero difference is preserved by the FOA function. Again, it has 
probability 1/2 to be preserved also by FLA, and probability 1/2 of not being 
preserved. Thus, the input difference of the characteristic is either the output 
difference (<5i or 6 - 2 ), or the output difference XORed with S'. 

Hence, either each of the first two conditional characteristics have probability 
1/4, or the other two have probability 1/4. For each such case the effective 
probability based on the two characteristics is q = \J (1/4) 2 + (1/4) 2 = l/\/8. 
The successful conditional characteristics are determined by the value of the fifth 
bit of K 5 (i.e., Kl). 

We note that all these conditional characteristics can be rotated along with 
the key difference, to produce 15 similar sets of characteristics with the same 
effective probability. 

5.2 A Related-Key Boomerang Distinguisher on 6-Round KASUMI 

In this subsection we present a related-key boomerang distinguisher of 6-round 
KASUMI. The distinguisher is mounted on rounds 1-6 of KASUMI, but it can 
be easily adapted to rounds 2-7 or to rounds 3-8 as well. 

Denote by Fa reduced version of KASUMI consisting of the first six rounds 
of the cipher. We describe £ as a cascade E = Jjj o E (h where E 0 corre- 
sponds to rounds 1-3 and Ei corresponds to rounds 4-6. The attack exploits 
the characteristic a = (0 X ,0020 0000a,) — > (0a,, 0020 0000a,) of E 0 with proba- 
bility 1/4, as well as the four characteristics So — > So, So © S' — > 5q, <5i — > Si, 
and <5i © S' — > Si of E\ with probability 1/4. The key difference used in Eq is 
AK a b = (0,0, 1,0, 0,0, 0,0), and the key difference of all the characteristics of 
Ei is AK ac = (0, 0, 0, 0,0,1, 0, 0). 

The attack essentially performs two standard related-key boomerang distin- 
guishes, one for each possible value of the key bit . A small improvement that 
we use, is to save some of the data by reusing some of the plaintexts generated 
in the attack. The attack algorithm is as follows: 

1. Choose M pairs of plaintexts ( P a ,i,Pb,i ) (for 1 < i < M ) such that P„.i ® 
Pb,i = a. Ask for the encryption of the pairs such that in each pair, P a<i 
is encrypted under K a and Pb,i is encrypted under the related-key Kb = 
K a ® AK a b ■ Denote the corresponding ciphertexts by [C a ,i, Cb,i). 
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2. For 1 < i < M, calculate O c ,i = C a .i ® and C ( t,i = Cb,i ® lb- Ask for the 
decryption of the pairs ( C Ci i,Cd,i ) such that in each pair, C e ,i is decrypted 
under K c = K a ®AK ac and Cd,% is decrypted under K d = K a ® AK ab (\)AK ac . 
Denote the corresponding plaintexts by (P c .i, Pd,i)- 

3. For 1 < i < M, calculate C eR = C a ,i ® 5i and Cf ti = Cb,i ® <5i- Ask for the 
decryption of the pairs (C e> i, C/,*) such that in each pair C ed is decrypted un- 
der K c and Cf j is decrypted under K d . Denote the corresponding plaintexts 
by (Pe,i,Pf,i).' 

4. Check whether P c ® P d i = a and count the number of such occurrences. 

5. Check whether P e>i ® Pf d = a and count the number of such occurrences. 

6. If one of the two counters from Steps 4 and 5 is greater than zero, then 
output “6-Round KASUMI”. Otherwise, output “Not 6-Round KASUMI”. 

The total probability of the boomerang process of this distinguisher is (1/4) 2 - 
(l/\/8) 2 = 1/128, either for quartets counted in Step 4 or for quartets counted 
in Step 5. Therefore, for M = 256 we expect to find two right quartets in 
Step 4 or Step 5 (either for the quartets (P a ,i, Pb,u P c ,u Pd,i) or for the quartets 
(P a ,i, Pb,i, P e ,i i Pf,i ))• Filtering of these pairs is expected to be very effective as 
for a random permutation the probability of the event P Ct i © P ( u = a (or the 
event P e ,i © Pf,i = ce ) is 2 -64 . 

The boomerang distinguisher can be improved using the following obser- 
vation: Just like in the rectangle attack, by fixing two plaintext bits (P% LL = 
0, P„ LR = 1), the probability of the first characteristic in the encryption direction 
is 1/2 (instead of 1/4) 2 . Therefore, if we choose all the (P a ,i,Pb,i) according to 
this additional requirement, the probability of the characteristic in rounds 1-3 
in the forward direction doubles. 

The overall probability of this boomerang process in this case is doubled 
to 1/64. Thus, M = 128 suffices for a success rate of about 86%. Hence, our 
distinguisher requires a total of 3 • 128 • 2 = 768 adaptively chosen plaintexts 
and ciphertexts such that 256 chosen plaintexts are encrypted and 512 adap- 
tively chosen ciphertexts are decrypted. The time complexity of the attack is 
negligible. 

5.3 Related-Key Boomerang Key Recovery Attack on 6-Round 
KASUMI 

We note that the boomerang distinguisher can be also used for a key recovery 
attack. As mentioned earlier, the set of characteristics (of E\) for which the 
attack succeeds depends on the value of a single key bit of K$. Thus, the value of 
this key bit can be detected by observing which one of the sets of characteristics 
of Ei is successful. Similar attacks can be mounted by taking other single bits 
of Kq to have key difference in E\. That way, all 16 bits of K$ can be retrieved 
by performing the attack 16 times, each time with another key difference. The 
rest of the key can be retrieved using auxiliary techniques. 

2 The actual probability is slightly higher, i.e., 5/8, and the probability of the first 
characteristic in the decryption direction is 5/16. 
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This variant of the attack requires 256 chosen plaintexts encrypted under 
two keys (K a and K h ), and sixteen times the decryption of 512 adaptive cho- 
sen ciphertexts decrypted under two related keys. The total data complex- 
ity of the attack is 2 13 adaptive chosen plaintexts and ciphertexts encrypted 
under 34 keys. The time complexity of the attack is less than 2 13 KASUMI 
encryptions. 


6 Summary and Conclusions 

In this paper we apply the related-key boomerang and related-key rectangle 
attacks to the KASUMI block cipher. Our attacks are first attacks on the full ci- 
pher. The related-key rectangle attack requires 2 54 6 chosen plaintexts encrypted 
under four keys (2 52 6 plaintexts encrypted under each key). The time complexity 
is equivalent to 2 76 ' 1 KASUMI encryptions. 

We also present an efficient related-key boomerang distinguisher on 6-round 
KASUMI requires 768 adaptive chosen plaintexts and ciphertexts, using four 
related keys. 3 This attack can be converted to a key recovery attack that requires 
2 13 adaptive chosen plaintexts and ciphertexts encrypted under 34 related keys, 
and finds 16 key bits with time complexity of less than 2 13 KASUMI encryptions. 

Previous works show that the security of the KASUMI block cipher with 
respect to related-key attacks is significant for proving that the modes of oper- 
ations used in the 3GPP networks are secure. Our results show that KASUMI 
cannot be considered secure with respect to differential-based related-key at- 
tacks. Therefore, the currently existing security proofs of the protocols of the 
3GPP network should be revised to reflect this situation. 

Acknowledgments 

It is a pleasure to thank Elad Barkan for useful references, and to Tetsu Iwata 
for providing us with a clear understanding of the model and requirements of 
the security proofs. The valuable comments made by the anonymous referees are 
also appreciated. 

References 

1. Ishai Ben-Aroya, Eli Biham, Differential Cryptanalysis of Lucifer, Advances in 
Cryptology, proceedings of EUROCRYPT ’93, Lecture Notes in Computer Science 
773, pp. 187-199, Springer- Verlag, 1994. 

2. Eli Biham, New Types of Cryptanalytic Attacks Using Related Keys (Extended 
Abstract), Journal of Cryptology, Vol. 7, No. 4, pp. 229-246, Springer- Verlag, 1994. 

3. Eli Biham, How to decrypt or even substitute DES-encrypted messages in 2 28 steps, 
Information Processing Letters, Vol. 84, No. 3, pp. 117-124, Elsevier, 2002. 

3 We expect to be able to reduce this complexity even further, but decided to save 
some of our time. 



460 E. Biham, O. Dunkelman, and N. Keller 


4. Eli Biham, Alex Biryukov, Adi Shamir, Miss in the Middle Attacks on IDEA and 
Khufu, proceedings of Fast Software Encryption 6, Lecture Notes in Computer 
Science 1636, pp. 124-138, Springer- Verlag, 1999. 

5. Eli Biham, Alex Biryukov, Adi Shamir, Cryptanalysis of Skipjack Reduced to 31 
Rounds, Advances in Cryptology, proceedings of EUROCRYPT ’99, Lecture Notes 
in Computer Science 1592, pp. 12-23, Springer- Verlag, 1999. 

6. Eli Biham, Orr Dunkelman, Nathan Keller, The Rectangle Attack - Rectangling 
the Serpent, Advances in Cryptology, proceedings of EUROCRYPT ’01, Lecture 
Notes in Computer Science 2045, pp. 340-357, Springer- Verlag, 2001. 

7. Eli Biham, Orr Dunkelman, Nathan Keller, New Results on Boomerang and Rectan- 
gle Attacks, proceedings of Fast Software Encryption 9, Lecture Notes in Computer 
Science 2365, pp. 1-16, Springer- Verlag, 2002. 

8. Eli Biham, Orr Dunkelman, Nathan Keller, Related-Key Boomerang and Rectangle 
Attacks, Advances in Cryptology, proceedings of EUROCRYPT ’05, Lecture Notes 
in Computer Science 3494, pp. 507-525, Springer- Verlag, 2005. 

9. Eli Biham, Adi Shamir, Differential Cryptanalysis of the Data Encryption Stan- 
dard, Springer- Verlag, 1993. 

10. Alex Biryukov, Jorge Nakahara J., Bart Preneel, Joos Vandewalle, New Weak- 
Key Class of IDEA, proceedings of Information and Communications Security 4, 
Lecture Notes in Computer Science 2513, pp. 315-326, Springer- Verlag, 2002. 

11. Alex Biryukov, Sourav Mukhopadhyay, Palash Sarkar, Improved Time-Memory 
Trade-offs with Multiple Data preproceedings of Selected Areas in Cryptography 
2005, pp. 113-131, 2005, to appear in LNCS. 

12. Mark Blunden, Adrian Escott, Related Key Attacks on Reduced Round KASUMI, 
proceedings of Fast Software Encryption 8, Lecture Notes in Computer Science 
2355, pp. 277-285, Springer- Verlag, 2002. 

13. Lawrence Brown, Josef Pieprzyk, Jennifer Seberry, LOKI — A Cryptographic 
Primitive for Authentication and Secrecy Applications, Advances in Cryptology, 
proceedings of AUSCRYPT ’90, Lecture Notes in Computer Science 453, pp. 229- 
236, Springer- Verlag, 1990. 

14. Joan Daemen, Vincent Rijmen, The design of Rijndael: AES — the Advanced 
Encryption Standard, Springer- Verlag, 2002. 

15. Helena Handschuh, David Naccache, SHACAL, preproceedings of NESSIE first 
workshop, Leuven, 2000. 

16. Dowon Hong, Ju-Sung Kang, Bart Preneel, Heuisu Riu, A Concrete Security Anal- 
ysis for 3GPP-MAC, proceedings of Fast Software Encryption 10, Lecture Notes 
in Computer Science 2887, pp. 154-169, Springer- Verlag, 2003. 

17. Tetsu Iwata, Kaoru Kurosawa, On the Correctness of Security Proofs for the 3GPP 
Confidentiality and Integrity Algorithms, proceedings of Cryptography and Coding 
— 9th IMA International Conference, Lecture Notes in Computer Science 2898, 
pp. 306-318, Springer- Verlag, 2003. 

18. Tetsu Iwata, Tadayoshi Kohno, New Security Proofs for the 3GPP Confidentiality 
and Integrity Algorithms, proceedings of Fast Software Encryption 11, Lecture 
Notes in Computer Science 3017, pp. 427-445, Springer- Verlag, 2004. 

19. Goce Jakimoski, Yvo Desmedt, Related-Key Differential Cryptanalysis of 192-bit 
Key AES Variants, proceedings of Selected Areas in Cryptography 2003, Lecture 
Notes in Computer Science 3006, pp. 208-221, Springer- Verlag, 2004. 

20. Ju-Sung Kang, Sang Uk Shin, Dowon Hong, Okyeon Yi, Provable Security of KA- 
SUMI and 3GPP encryption mode, Advances in Cryptology, proceedings of ASI- 
ACRYPT ’01, Lecture Notes in Computer Science 2248, pp. 255-271, Springer- 
Verlag, 2001. 



A Related-Key Rectangle Attack on the Full KASUMI 461 


21. John Kelsey, Tadayoshi Kohno, Bruce Schneier, Amplified Boomerang Attacks 
Against Reduced- Round MARS and Serpent, proceedings of Fast Software Encryp- 
tion 7, Lecture Notes in Computer Science 1978, pp. 75-93, Springer- Verlag, 2000. 

22. John Kelsey, Bruce Schneier, David Wagner, Related-Key Cryptanalysis of 3- WAY, 
Biham-DES, CAST, DES-X, NewDES, RC2, and TEA, proceedings of Informa- 
tion and Communication Security 1997, Lecture Notes in Computer Science 1334, 
pp. 233-246, Springer- Verlag, 1997. 

23. Jongsung Kim, Guil Kim, Seokhie Hong, Sangjin Lee, Dowon Hong, The Related- 
Key Rectangle Attack — Application to SHACAL-1, proceedings of ACISP 2004, 
Lecture Notes in Computer Science 3108, pp. 123-136, Springer- Verlag, 2004. 

24. Seokhie Hong, Jongsung Kim, Guil Kim, Sangjin Lee, Bart Preneel, Related-Key 
Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192, proceedings 
of Fast Software Encryption 12, Lecture Notes in Computer Science 3557, pp. 368- 
383, Springer- Verlag, 2005. 

25. Ulrich Kiihn, Cryptanalysis of Reduced-Round MISTY, Advances in Cryptology, 
proceedings of EUROCRYPT ’01, Lecture Notes in Computer Science 2045, 
pp. 325-339, Springer- Verlag, 2001. 

26. Xuejia Lai, James L. Massey, A Proposal for a New Block Cipher Encryption Stan- 
dard, Advances in Cryptology, proceeding of EUROCRYPT ’90, Lecture Notes in 
Computer Science 473, pp. 389-404, Springer- Verlag, 1991. 

27. Mitsuru Matsui, Block encryption algorithm MISTY, proceedings of Fast Software 
Encryption 4, Lecture Notes in Computer Science 1267, pp. 64-74, Springer- Verlag, 
1997. 

28. US National Bureau of Standards, Data Encryption Standard, Federal Information 
Processing Standards Publications No. 46, 1977. 

29. Arthur Sorkin, Lucifer, a Cryptographic Algorithm, Cryptologia, Vol. 8, No. 1, 
pp. 22-41, 1984. 

30. Hidema Tanaka, Chikashi Ishii, Toshinobu Kaneko, On the Strength of KASUMI 
without FL Functions against Higher Order Differential Attack, proceedings of In- 
formation Security and Cryptology 3, Lecture Notes in Computer Science 2015, 
pp. 14-21, Springer- Verlag, 2001. 

31. 3rd Generation Partnership Project, Technical Specification Group Services and 
System Aspects, 3G Security, Specification of the 3GPP Confidentiality and In- 
tegrity Algorithms; Document 2: KASUMI Specification, V.3.1.1, 2001. 

32. Serge Vaudenay, Provable Security for Block Ciphers by Decorrelation, proceedings 
of Annual Symposium on Theoretical Aspects of Computer Science ’98, Lecture 
Notes in Computer Science 1373, pp. 249-275, Springer- Verlag, 1998. 

33. David Wagner, The Boomerang Attack, proceedings of Fast Software Encryption 6, 
Lecture Notes in Computer Science 1636, pp. 156-170, 1999. 



Some Attacks Against a Double Length 
Hash Proposal 


Lars R. Knudsen 1 and Frederic Muller 2 

1 Department of Mathematics, Technical University of Denmark, 
DK-2800 Kgs. Lyngby, Denmark 
Lars . R . Knuds enOmat . dtu . dk 
2 DCSSI Crypto Lab, 

51, boulevard de La Tour-Maubourg 75700 PARIS 07 SP 
Frederic . MullerOsgdn . pm . gouv . f r 


Abstract. At FSE 2005, Nandi et al proposed a method to turn an 
n-bit compression function into a 2n-bit compression function. In the 
black-box model, the security of this double length hash proposal against 
collision attacks is proven, if no more than 17(2 2 "' /3 ) oracle queries to the 
underlying n-bit function are made. 

We explore the security of this hash proposal regarding several classes 
of attacks. We describe a collision attack that matches the proven security 
bound and we show how to find preimages in time 2 n . For optimum 
security the complexities of finding collisions and preimages for a 2n-bit 
compression function should be respectively of 2™ and 2 2 ". We also show 
that if the output is truncated to s < 2n bits, one can find collisions in 
time roughly 2 s - 73 and preimages in time roughly 2 s / 2 . 

These attacks illustrate some important weaknesses of the FSE 2005 
proposal, while none of them actually contradicts the proof of security. 

1 Introduction 

1.1 Hash Functions 

Cryptographic hash functions are important primitives in cryptology. They are 
used in a wide range of applications including message integrity, authentication 
schemes or public key encryption schemes. Most importantly, they are used to 
speed up digital signature schemes, which otherwise would be slow and unlikely 
to be implemented widely. A cryptographic hash function takes an input of 
arbitrary size and produces an output, also called the hash value, of a fixed, 
predetermined size. In practice there is a limit for the length of the input, but 
typically this is chosen big enough for all practical applications. The important 
properties of a cryptographic hash function are : 

— collision-resistance : it should be difficult to find a pair x 7 ^ x' of inputs to 
the hash function H such that H(x) = H(x') 

— 2nd preimage- resistance : it should be difficult, for a given x, to find x' ^ x 
such that H(x) — H(x') 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 462-473, 2005. 

© International Association for Cryptologic Research 2005 


Some Attacks Against a Double Length Hash Proposal 463 


— preimage-resistance : it should be difficult, for a given y to find x such that 
H{x) = y 

There are generic attacks which apply to any hash function. If the size of the 
hash value is n bits, then it is well-known that collisions can be found in time 
2"/ 2 and preimages can be found in time 2". For 2nd preimages, the complexity 
of generic attacks ranges between 2 n / 2 and 2", depending on the length of the 
target message. Recent results by Kelsey and Schneier show that the complexity 
can be only 2"/ 2 if the length of the target message is also 2"/ 2 [10]. In general, 
hash functions are built by iterating a basic function called the compression 
function. Attacks can target either the full hash function or the compression 
function only, although there are connections between both approaches. 


1.2 Recent Results in Attacking Hash Functions 

Many advances have been made recently for hash function cryptanalysis : 

— Some important weaknesses have been shown for popular algorithms. It is 
the case of MD4 [7, 17], MD5 [19], SHA-0 [2,4, 20] and SHA-1 [18], for which 
it was shown how to find collisions much faster than 2 n / 2 . These results 
illustrate some weaknesses of the underlying compression functions. 

— The generic construction itself could be at risk. Most hash functions are 
iterative and are built using the Merkle-Damgard method [6,12]. Recent 
results suggest that this construction is not necessarily a good choice [9, 10]. 

— Computing power is always growing. Attacks with complexity 2 64 are already 
accessible using distributed computing. And attacks with complexity 2 80 may 
also soon be feasible. Therefore hash functions with output size < 160 bits 
are not a good choice for long term security. 

In light of all this, more work is probably needed for hash function design. In 
particular, it is believed that a good solution is to increase the size of the internal 
state. This idea has been independently proposed by Lucks [11], Hirose [8] and 
Nandi et a/. [14]. Unfortunately the output size of most available compression 
functions is not large enough, so one needs to design compression functions 
with an increased output length. Rather than building a new primitive from 
scratch, Nandi et al. suggested to use a secure n-bit compression function, in 
order to build a larger compression function (of size 2n-bit for example). The 
small compression function could then be instantiated with one of the available 
function, or with a block cipher in the Davies-Meyer construction. An interesting 
argument for this new construction is that its security has been proven, using 
some assumptions on the underlying "small" compression function. 

1.3 Our Results 

In this paper, we focus on the security of the new double length hash proposal of 
FSE 2005 [14] against all usual attacks. Regarding the proven security, the authors 
have only focused on collision attacks, so one may hope to find (second) preimage 
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attacks without contradicting the security proof. Another interesting open prob- 
lem is to find a collision attack that matches the security proof claimed in [14]. 

First, we show that a collision can be found for this proposal in time 2 2 ”/ 3 , 
which fits the proven security bound (but a generic attack on a 2n-bit function 
would cost 2”). Secondly, we show that preimages can be found in 2", while the 
best generic attack on a 2n-bit compression function costs 2 2n . 

An interesting question is how these results would apply to a full hash func- 
tion built using the FSE 2005 compression function. Iterated constructions gen- 
erally require the compression function to be collision-resistant in order to guar- 
antee the security of the full hash function. This is the case of the popular 
Merkle-Damgard construction [6, 12]. Another example was given at Crypto’05, 
where Coron et al. revisited the Merkle-Damgard construction [5]. In their analy- 
sis, the compression function is modeled as a random oracle. 

Sometimes the iterative structure even allows to find better attacks against 
the full hash than against the compression function alone, as demonstrated in [9, 
19]. However we did not take into account such scenarios. 

1.4 Notions of Security for Truncated Hash 

We introduce new notions of security for compression functions and hash func- 
tions. These notions are the near-preimage resistance and the near-collision 
resistance. The idea is that it should remain difficult to find collisions or preim- 
ages on a truncated version of the function. It is often easier to find "near" attacks 
than attacks against the full hash. This was illustrated in the case of the SHA 
family where Biham and Chen first described near collisions [1] before "real" 
collision attacks were later demonstrated [2, 18]. 

There are important motivations for taking into account near-collision and 
near-preimage attacks in practice. First, truncating the output diminishes the 
size of the hash value. This can be critical to reduce data storage or to reduce the 
communication complexity (case of MAC’s for instance). When it is estimated 
that s bits are a sufficient level of security, it is customary to truncate the output. 
In some case, this even helps to prevent some attacks (it makes more difficult to 
detect internal collisions in MAC algorithms, for instance). 

Secondly, another motivation is that new hash functions may need to re- 
main compatible backward with former applications. For instance, an output 
of size 160 bits may be needed for compatibility with systems that previously 
implemented SHA-1. Therefore it is likely that new designs may end up being 
truncated for practical purpose. A nice illustration of hash function truncation 
is given by the SHA-2 family [15] : intermediate hash sizes (224 bits and 384 
bits) are obtained by truncation of the larger hash sizes (256 bits and 512 bits). 

It is expected that the best attacks against truncated hash function remain 
generic attacks. If the output size is reduced from n to s bits, then the best 
collision attack should cost 2 s / 2 steps and the best preimage attack should cost 
2 s steps. In their original paper, Biham and Chen [1] considered near preimages 
where the truncated positions are freely chosen by the attacker. With 
these additional degrees of freedom, the task of the attacker is easier, because 
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he can first test several messages and choose the truncated positions only after- 
wards. For example, it is very easy to find a near preimage for SHA with s = 80 
when the attacker can choose the truncated positions. However, such scenarios 
are not very realistic in practice, so we only focus on near attacks where 
the truncated positions are predetermined. 

On the one hand, the security of a truncated hash function is unlikely to drop 
dramatically compared to the full version. Suppose that one can find preimages 
in time T for a s-bit truncated output. Then, for a given n-bit challenge y, 
an attacker can simply truncate y to s bits and obtain a preimage x for the 
truncated value. Then, s bits of the initial challenge are already satisfied by x, 
and the attacker can simply hope that the remaining n — s bits also satisfy the 
challenge. Therefore a preimage attack for the full hash should cost : 

T' = T x 2 n ~ s 

However there is no guarantee. The previous relation is true for most designs, 
but there may also exist special designs where this is not true. 

On the other hand, truncated the hash function may improve the level of 
security. This situation has been observed for MAC algorithms where truncation 
sometimes prevents the detection of internal collisions. Therefore, it is interesting 
to analyze how the complexity of an attack changes when the output is truncated. 
For instance, the FSE 2005 double length hash proposal [14] has a security 
regarding collision attacks proven with a bound of 2 2 "/ 3 . Thus, it is very tempting 
to truncate its output to 

2 x (2n/3) = 4n/3 

bits only, since it appears to be the highest security one can achieve. Unfortu- 
nately, in that case, we show that collision attacks would become much easier 
than 2 2 "/ 3 . More generally, when the hash output is truncated to s < 2n bits, 
we show how to find collisions in time 2 s / 3 and preimages in time 2 s / 2 . 

2 Description of the Double Length Compression 
Function 

A compression function is a function F : (0, l} m — ► {0,1}" where m > n. 
Suppose that F requires t calls to either 

— a block cipher of block size l. 

— a smaller compression function with inputs of l bits 
Then, the rate r of F is generally defined as the ratio : 


It represents the amount of data compressed for each application of the block 
cipher (or the smaller function). Achieving a compression function with a ratio 
r = 1 and which is practical seems to be a very difficult task [3]. In their paper, 
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Fig. 1 . The double length 1/3- rate construction of FSE 2005 


Nandi et al. [14] introduce two new constructions of respective rates r = 1/3 
and r = 2/3. The attacks against both proposals are essentially the same, so we 
consider first the compression function of rate 1/3. 

Let fi : {0, l} 2 ” — ► {0, 1}" be independent random functions, for i = 1,2, 3. 
We define the double-length compression function F : {0, l} 3n — > {0, l} 2n by : 

F(x,y,z ) = (Fx(x,y,z) \ F 2 (x,y,z)) 

= (h(x,y)® f 2 (y,z) | f 2 (y,z)® f 3 (z,x)) 

This function has a rate of 1/3 : it compresses one block of n bits with 3 evalua- 
tions of the "small" fi functions. This construction is also illustrated in Figure 1. 

Similarly, a function with rate 2/3 is proposed in [14]. The idea is to in- 
stantiate all the fi s with a block cipher using keys of length 2n bits, in the 
Davies-Meyer construction. This allows to compress an input of 4n bits into an 
output of 2n bits, thereby improving the ratio from 1/3 to 2/3. This construction 
could be instantiated with AES-256 for instance. 

3 Collisions 

In [14], it is proven that no collision can be exhibited for the proposed 2n-bit 
compression function with less than J?(2 2 "/ 3 ) queries to the three underlying 
n-bit functions. In addition, it is described how to match this bound. 

First, we quickly remind the attack proposed by the designers. Then we 
argue that the number Q of oracle queries is not the proper way to estimate the 
complexity of a collision attack. We denote the actual time and memory needed 
for the attack by T and M : while the original attack is such that Q = 2 2 ”/ 3 , the 
authors of [14] do not give many details about its complexity. Apparently their 
attack requires T = M = 2". Using additional tricks, we propose a better attack 
which satisfies Q = T = M = 2 2 ”/ 3 . We do not take into account constant and 
logarithmic factors to evaluate the complexities of all attacks. 
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3.1 The Original Attack 

Let us pick at random 2"/ 3 values for x, y and z. We call these values x j, yi and 
Zi for i = 1 . . . 2 rt /' 3 . Compute for all pairs 

Ai,j = fi(xi, yj ) 

Then store all results in a table Ta{i,3) with 2 2 ”/ 3 entries. Similarly, compute 

Bi tj = 

and store in a table T B (i,j). Finally, compute 

Cij = h(zi, Xj) 

and store in a table Tc(i,j). At this point Q = 3 x 2 2 "/ 3 queries have been made 
to the n-bit compression functions. 

Now consider all triplets ( Xi , yj, Zk)- There are 2" such triplets and the com- 
pression function F produces 2n-bit outputs. So the birthday paradox tells us 
that, with good probability, two triplets will give a collision on F. One ta- 
ble lookup to Ta, one to T B and one to Tc are sufficient to evaluate each 
F(xi,yj,Zk ), so no new oracle query is needed. After computing the 2 n out- 
puts, we store them in a table and sort it, in order to detect if an element 
appears twice. Therefore a collision is expected to be found with Q = 2 2 "/ 3 and 
T=M= 2". 

3.2 A Better Attack 

While the notion of oracle queries is useful for a security proof, it is not relevant in 
practice : specifications of a hash function are typically public, so an attacker can 
evaluate off-line the functions /*. It is therefore not natural to make a distinction 
between the time needed for the Q oracle queries and the rest of the analysis. 
According to the security proof of [14] any generic attack needs to evaluate at 
least 2 2 "/ 3 times one of the n-bit compression functions. Therefore 

T > 2 2 "/ 3 


for any generic collision attack. In this section, we describe how to reach this 
lower bound. Fix one of the inputs of F, for instance let y = yo- Then, consider 
2 2 "/ 3 random values of x and z. We denote these values by x t and Z{ for i = 
1 . . ,2 2 ”/ 3 . Compute, for all i, 


Ai = fi(xi,y 0 ) 

and store the results in a table Ta- Similarly, compute for all i 

Bi = f 2 (yo, Zi) 

and store the results in a table T B - Both tables have 2 2 ”/ 3 entries. 
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Next, fix an arbitrary 2n/3-bit pattern a and compute all pairs of elements 
(Ai £ Ta ■ Bj £ Tb) such that Aj ® Bj starts by a in its 2n/3 least significant 
bits. There are 

o2n/3 v o2rs/3 
2x2 = 0 2 "/3 

2 2n/3 

such pairs. They can be obtained with 2 2 "/ 3 computation. This merging of Ta 
and Tb under the constraint of the pattern a can be done by first XORing a to all 
the elements of Ta, then sorting Tb, and finally searching for a collision between 
the two tables. This costs 2 2n / 3 in time and memory. Such merging algorithms 
have been known for a long time by the folklore but have been thoroughly studied 
by Wagner in [16]. The resulting table is noted T = Ta Tb- 

Finally, compute F for the 2 2 "/ 3 triplets (xi, yo, Zj) corresponding to elements 
of T. It is guaranteed that the 2n-bit output always starts by the prefix a. Hence 
the probability of collision among two such triplets is 2 -4 "/ 3 instead of 2~ 2n . 
Since there are 2 2 "/ 3 triplets to test, the birthday paradox tells us that a collision 
is expected. To summarize, our improved collision attack requires about 

T = 2 2 "/ 3 

computations steps, which is an optimal result, according to the security proof 
of [14]. The memory required is of the order of M = 2 2 "/ 3 . 

For an ideal compression function with a 2n-bit output, finding a collision 
should require the computation of 2" function values. Therefore the FSE hash 
proposal is not optimal. Also, one might be tempted to truncate the output 
of the f 71 , -functions, e.g., to 2n/3 bits each, thereby obtaining a hash result of 
s = 4n/3 bits. However, as we shall show next, this enables one to find collisions 
in time less than 2 2 "/ 3 . 

3.3 Near-Collisions 

If the output of F is truncated to s < 2n we show how to find a near-collision 
with T = 2 s / 3 , that is, two inputs to F which are equal in s fixed bit-positions. 

When Fi and F? are truncated by the same number of bits, the method is 
exactly similar to the one above, replacing 2 n by s. 

Fix the input y of F to a value yo- Then, consider 2 s / 3 random values of x 
and z. We denote these values by Xi and z L for i = 1 , 2 s / 3 . Compute, for all 
i, Ai = /] (xi , y 0 ) and store the results in a table Ta- Similarly, compute for all i 
Bi = / 2 (yo, Zi ) and store the results in a table Tb- Both tables have 2 s / 3 entries. 
In both tables, we truncate the outputs of /i and / 2 as it is done in F. Then, 
we fix an arbitrary s/3-bit pattern (3 on the s/2 remaining bits, and merge Ta 
and Tb according to this pattern. We use the same algorithm as in Section 3.2. 
The result is a table T = Ta ixi a Tg containing : 

2 s /3 x 2 s / 3 _ s/3 
2-/3 - 2 

elements of s/2 bits. Finally, we apply F to all triplets ( Xi,y,Zj ) of T. It is 
guaranteed that the first s/3 bits of all outputs of F\ are equal to (3. Hence the 
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probability of having a collision among two such triplets in all the s bits is only 
2-2 s/ 3 instead of 2~ s . Since there are 2 s / 3 triplets to test, the birthday paradox 
tells us that a collision is expected. 

Now suppose F\ is truncated to si bits and F% is truncated to S 2 bits, with 
s = S 1 +S 2 . The pattern 3 has length s/3 bits, while the elements in T have length 
Si bits. So when si < s/3 we may have problems in the previous algorithm. In 
that case, we need to exchange the roles of Fi and F 2 , but the idea remains 
essentially the same. 

To summarize, independently of how the truncation is made, we find a near- 
collision in s bits with about T = 2 s / 3 computation. The memory required is 
also of the order of M = 2 s / 3 . The number of oracle queries is also of Q = 2 s / 3 . 

4 Preimages 

For a 2n-bit compression function, it is expected that 2 2n evaluations should be 
needed in order to find an input x that maps to y = F(x) for a given challenge y. 
This requirement is generally expressed as preimage resistance. Unfortunately, 
the hash proposal of [14] does not satisfy this property. In this section, we de- 
scribe a preimage attack with complexity of 2” steps. 


4.1 The Preimage Attack 

Let h be a given target of length 2n bits. Our goal is to find a preimage (x, y. z) 
such that F(x, y. z ) = h. We can rewrite h as (hi, h 2 ) and re-express our goal as : 

F 1 (x,y,z) = f 1 (x,y)®f 2 (y,z) = h 1 (1) 

Fi(x,y, z) = f 2 (y, z) © f 3 (z,x) = h 2 (2) 

The basic idea is to consider many triplets ( x , y, z), and to first eliminate those 
which do not satisfy (1). Actually, merging algorithms can again be used to 
check this constraint efficiently. If there are enough remaining candidates, one is 
expected to satisfy (2). 

More precisely, let us fix an arbitrary y and compute, for all possible x, 
A x = fi(x,y). Results are stored in a table Ta with 2” entries. Similarly, we 
compute all B z = f 2 (y,z) and store the results in a table Tb ■ Using a merging 
algorithm [16] as in Section 3.2, we compute 

T — T a ixi/u T b 

T contains all pairs of (A x , B z ) such that A x CD B z = h\ , so there should be : 

2" x 2 n 
2 " 


entries. The corresponding time complexity is about 2”. By construction, all 
triplets ( x,y,z ) in table T satisfy relation (1). Then we compute F 2 (x,y,z ) for 
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each of them. We expect that /12 will be reached, since the probability for a 
random triplet to satisfy (2) is 2~ n . Therefore T should contain one preimage 
by F for the target h = (hi, / 12 ). 

To summarize, we propose a preimage attack against the proposal of [14] 
with time complexity of T = 2 n computation steps. In addition, the memory 
requirement is about M = 2 n . The number of oracle queries to the function f/s 
is also about 2". 

For an ideal compression function of 2 n bits, finding a preimage should re- 
quire about 2 2n computation. As was the case for collisions, it is next shown 
that truncating the output of the hash function will not give ideal security for 
the truncated construction. 


4.2 Near-Preimages 

Let h be a given target of length s <2n bits. We can find a preimage (x, y, z) 
such that F(x,y,z) truncated to s bits yields h in time roughly 2 s / 2 . If both 
functions ffys are truncated to s/2 bits, then the method is in essence the same 
as in the previous section, simply replace n by s/2. 

Suppose that both halves of the hash proposal are not truncated equally. For 
instance, Fi is truncated to si bits and F 2 to S 2 bits, with 


Without loss of generality, we suppose that si > s/2 > ,s 2 . In this case, we fix an 
arbitrary value of y and consider 2 s / 2 arbitrary values of x and z. We compute 
all fi(x,y ) and store in table Ta and similarly compute all fi(y,z) into a table 
Tb ■ As in the previous section, we truncate the elements in both tables, and 
then use a merging algorithm. We verify the constraint on the Si bits of h\. The 
result is a table 

T =T a txi/jj T b 


of size 


2 s/2 x 2 b/2 


At this point, we are sure to hit the target h\ for all triplets of T. Since there are 
2 S2 such triplets, one of them should also hit the target /12 and therefore provide 
a valid preimage. 

Therefore, if the double length hash is truncated to s bits (it does not matter 
which bits of the output are removed), then a preimage attack costs only 2 s /2. 


5 Application to the 2/3 Rate Compression Function 

[14] also specifies a rate 2/3 compression function and gives an example of an im- 
plementation of the scheme using a block cipher as the underlying cryptographic 
primitive. Here we give only the generic description of the proposal using ran- 
domly chosen functions as building blocks. 
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Let fi : {0, l} 3 " — > {0, 1}” be independent random functions, for i = 1,2,3. 
Define the compression function F : {0, l} 4n — > {0, l} 2 ” 

F(x,y,z,w) = (Fi(cc,t/,z,w) ] F 2 (x,y,z,w )) 

= (h(x,y,w)® f 2 (y,z,w) \ f 2 (y,z,w) © f 3 (x,z,w)) 

This function has a rate of 2/3: it compresses two blocks of n bits with three 
evaluations of the /-functions. Note however that this scheme is not directly 
comparable to the first schemes presented above, since the underlying functions 
are of a different nature. 

Nonetheless, the collision and preimage attacks presented earlier also apply 
to this variant. This is easy to observe : by fixing the value of w in the rate 
2/3 scheme, one gets exactly the rate 1/3 scheme. It follows easily that all the 
attacks described in the previous sections also apply to the implementation of 
the proposal using a block cipher. 

6 Some General Considerations 

There is one important property of the compression function of [14] that makes 
our attacks possible : two of three of the underlying subfunctions fi can be 
attacked independently, by fixing one input variable. Another important obser- 
vation is that (part of) the output is the sum of the outputs of smaller subfunc- 
tions. This opens the door for techniques more efficient than the usual birthday 
attack. Consider a compression function of the form 

h(x) = hi(xi | y) © h 2 (x 2 \ y), 

where x\ can be varied independently of x 2 and vice versa. Then in a search for 
a collision on h, one is looking for values xi,x' 1 ,x 2 ,x 2 , such that 

h\(x i | y) 0 h 2 (x 2 | y) © %( a?} ] y) © h 2 {x 2 \ y) = 0, 

a solution to which is known to be faster than the birthday attack [16]. 

One possible way to remove this freedom for an attacker could be to use 
subfunctions whose outputs depend on all (three) input variables. We can do 
so in a rate 1/3 construction using the subfunctions of the (insecure) rate 2/3 
proposal of [14]. Let fi : (0, l} 3 ” — > {0,1}" be independent random functions, 
for i = 1,2, 3. Define the compression function F : {0, l} 3 " — > {0, l} 2 " 

F(x, y, z) = (fi(x,y,z) © f 2 (x,y,z) \ f 2 (x,y,z) ® f 3 (x,y,z)) 

Evidently this reduces to a construction of the form 

F(x,y,z) = (gi(x,y,z) \ g 2 (x,y,z)). 

The construction of secure double length compression function of this form is 
further investigated in recent papers by Lucks [11] and Nandi [13]. 
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Table 1 . Summary of all attacks against [14] 


Type of Attack 

Time 

Memory 

Oracle Query 

Collision [14] 

2" 

2 n 

2 2 ”/ 3 

Collision 

2 2 "/ 3 

2 2n/3 

2 2»/3 

Near-collision (s bits) 

2 s / 3 

2 s / 3 

2 s/3 

Preimage 

2" 

2" 

2" 

Near-preimage (s-bits) 

r /2 

r /2 

2 s /2 


7 Conclusion 

In this paper, we have investigated a new double block length hash function 
proposed at FSE 2005 by Nandi et al.. Their idea is to turn a "small", secure, 
n-bit compression function into a 2n-bit compression function. The advantage 
of their method is to offer a proof of security regarding collisions attacks. 

Although, we do not contradict this security proof, we show that this con- 
struction is not fully satisfying. Indeed, its security level is much worse than a 
generic 2n-bit compression function. Table 1 summarizes all these results. 

In addition, we have introduced new notions of security for compression func- 
tions, i.e. near-collision and near-preimage resistance. These notions are im- 
portant, because it is quite usual that hash function outputs are truncated for 
practical purposes. One could be tempted to truncate the output of [14] to 4n/3 
bits or less, in order to fit to the proven security bound. Our results show that 
this would be a bad idea because it would deteriate the security of the construc- 
tion below 2 2 "/ 3 . 
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Abstract. This paper reconsiders the established Merkle-Damgard de- 
sign principle for iterated hash functions. The internal state size w of an 
iterated n-bit hash function is treated as a security parameter of its own 
right. In a formal model, we show that increasing w quantifiably improves 
security against certain attacks, even if the compression function fails to 
be collision resistant. We propose the wide-pipe hash, internally using a 
w-bit compression function, and the double-pipe hash, with w = 2 n and 
an n-bit compression function used twice in parallel. 

Keywords: hash function, provable security, multi-collision, failure- 
friendliness. 


1 Introduction 

A cryptographic hash function H : {0, 1}* — > {0, 1}" maps an infinite set of inputs 
to the finite set of n-bit hash values. While collisions (inputs X ^ Y with H(X) = 
H(Y)) necessarily exist, a hash function should be collision resistant: given H, it 
should be infeasible for an adversary to actually find any collisions. But what if a 
hash function fails to be collision resistant? This paper deals with failure-friendly 
hash functions providing some security even if collision resistance has failed. It 
has been inspired by recent advances in collision finding [25,26,27,28,1]. 

The design of today’s cryptographic hash functions ubiquitously follows the 
Merkle/Damgard (MD) structure [16,6], iterating some underlying compression 
function. The hash function is collision resistant, if the compression function 
is. However, if computing a compression function collision is somehow feasible, 
the hash function may fail worse than expected. E.g., finding multiple collisions 
should be way more expensive than finding plain (2-)collisions - but Joux [11] 
disproved this for the MD design. Also, MD hash functions completely fail to 
defend against 2nd collision attacks: If H(M) = H(N) for any two messages 
M, N, then H(M\\S) = H{N\\S) for all S € {0,1}". (Technically, this assumes 
M and N to be “extended messages”, see below.) In other words, given a single 
collision, an adversary can easily construct many more collisions. This has long 
been known, but recently been exploited to turn “random” collisions (as, e.g., 
for MD5 [26]) into “meaningful” ones [12,17,14,15]. Even a 2nd preimage like 
scenario is possible [7]: given any two texts T} and T 2 , Damn and Lucks presented 
two corresponding PostScript files with identical MD5 hashes. 

B. Roy (Ed.): ASIACRYPT 2005, LNCS 3788, pp. 474-494, 2005. 
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Our Contributions. This paper describes and analyses failure-friendly iter- 
ated hash functions. The goal is to defend against certain classes of attacks 
even if collision resistance fails. We propose and analyse variants of the Merkle- 
Damgard design, increasing the internal state to ui > n bits. The wide-pipe hash 
is quite similar to the Merkle-Damgard hash, except for using a “largish” w-bit 
compression function to finally generate n < w bits of output. The double-pipe 
hash sets w = 2n and employs one single n-bit compression function, used twice 
in parallel for each message block. In random and standard model settings, we 
prove the security of our schemes against A'-collision attacks (for K > w), and 
K- way preimage and 2nd preimage attacks (for K > 1). Additionally, we 
discuss and semi-formally verify the resistance against 2nd collision attacks. 
Related Proposals. The double-pipe hash may remind the readers of the 
RIPEMD-family of hash functions [22,8], also calling two compression functions 
in parallel. The hash functions specified in [22,8] combine both n-bit compression 
values into a single n-bit state, strictly following the Merkle-Damgard design 
principle, thus being as failure-unfriendly as any Merkle-Damgard hash func- 
tion. But [8] also outlines some double-width variants of RIPEMD-128 and -160, 
which we refer to as RIPEMD-256 and -320. RIPEMD-256 and -320 can almost 
be viewed as instantiation of our design principle - except for the following: 

— By outputting both compression values at the end, RIPEMD-256 and -320 
use the two n-bit compression functions like a single 2n-bit compression func- 
tion - again following the Merkle-Damgard design, thus, e.g., being entirely 
vulnerable to 2nd collision attacks. 

— RIPEMD-256 and -320 were proposed as a a convenience feature for applica- 
tions requiring a 2n-bit hash “without needing a larger security level” [8]. On 
the other hand, our double-pipe construction has been designed to improve 
the security against certain attacks. 

We propose a generic and failure-friendly design principle providing provable 
security under reasonable assumptions. Assuming a “good” n-bit compression 
function, 1 our analysis would justify the usage of, say, a failure- friendly variant 
of RIPEMD-320 with 2n = 320 internal state bits and n = 160 output bits. 

Recently, Coron et al. [5] also analysed variants of the Merkle-Damgard de- 
sign in a fashion similar to the current paper. One of the proposals in [5] is 
rather similar to our wide-pipe design. However, [5] aims for variably-sized ran- 
dom oracles, based on an (extremely strong) ideal compression function (i.e., a 
fixed-size random oracle). This is orthogonal to our approach of taking possible 
compression function weaknesses into account. Nandi et. al. [18] proposed and 
analysed a rather different “2/3 rate double length compression function”. Both 
[5] and [18] restrict their analysis to the random and Shannon oracle, while the 
current paper also provides some analyses in the standard model. Also, none of 
the constructions in [5,18] resemble the current paper’s double-pipe hash design. 

1 Note that [8] took great care to ensure that both compression functions behave 
“differently enough” . Somewhat surprisingly, our results indicate that it would even 
be OK to use the same compression function twice, instead of two different functions. 
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Road map. We first describe Merkle-Damgard hashing and introduce notations, 
abstractions, and attacks. Section 2 describes and analyses the wide-pipe hash, 
a modified Merkle-Damgard design with an extended internal state size. Section 
3 modifies the wide-pipe hash, introducing and analysing the double-pipe hash. 
Section 4 investigates the security of a “weakened” double-pipe hash, based on a 
common construction for compression functions; see Appendix A for the proofs. 
Section 5 deals with extension attacks and Section 6 discusses our results and 
their implications. Appendix B provides examples for our hash constructions. 

1.1 The Merkle-Damgard (MD) Principle for Iterated Hashing 

A hash function H takes a message M £ {0, 1}* to compute H(M) £ {0, 1}". 
(In practice, the length \M\ of M may be bounded by some huge constant.) An 
iterated hash H is based on a compression function C with a fixed number of 
input bits and splits M into fixed-sized chunks Mi, M 2 , . . . , M L £ {0, l} m . The 
final chunk Ml may contain additional information, such as \M\. (Mi, . . . Ml) is 
the “expanded message” . Assume a compression function C : {0, l}”x {0, l} m — > 
{0, 1}" and a fixed initial value H 0 . Given M £ {0, 1}*, one computes the MD 
hash as follows: 

- Expand M to (Mi, . . . , M L ) £ {0, l} rnL . (MD strengthening: The last block 
M l takes the length \M\ in bits. Thus, if \M\ ± \M'\, then M L ^ M' v ) 

- For i £ {1, . . . , L }: compute Hi := C(Hi-i,Mi). 

- Finally: output Hl- 



Fig. 1. The Merkle-Damgard (MD) Hash 


Note that the MD hash function does not provide any resistance against 2nd 

collision attacks : consider messages M ^ M' with expansions (M[l] ,M[L]) 

and (M'[l], . . . , M'[L]). If M and M' collide, then H[L\ = H'[L ] for H[L\ = 
C(-,M[L]) and H'[L\ = C(-,M'[L]), and therefore all expanded messages (M[l], 

. . . , M[L], S[l], . . . , S[T ]) and (M'[l], . . . , M'[L\, S[l], . . . , S[T]) also collide. 


1.2 Notation, Abstractions, and Attacks 

Random Oracles. A fixed-size random oracle is a function / : {0, 1}“ — ► 
{0, l} 6 , chosen uniformly at random. For interesting sizes a and b, it is infeasible 
to implement /, or to store its truth table. Thus, we assume a public oracle 
which, given x £ {0, 1}“, computes y = f(x ) £ {0, l} 6 . A variably-sized random 
oracle is a random function g : {0, 1}* — > {0, l} 6 , accessible by a public oracle. 
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Equivalently, g is an infinite set of fixed-size random oracles g„ ■ {0, 1}“ — > {0, l} b 
for a G {0,1,2...}. We view a fixed-size random oracle as an ideal compression 
function, and a variably-sized random oracle as an ideal hash function. 
Shannon Oracle. An ideal block cipher is some invertible random oracle E : 
{0, 1}” x {0, l} m — > {0, 1}", such that for each M G {0, l} m , for the function 
E(-,M) = Em{-) an inverse E~ 1 (-,M) exists. Apart from that, E is uniformly 
chosen at random. Given x and M, one can ask a Shannon oracle for y = 
E(x,M), and, given y and M, one can ask the oracle for x = E~ x (y, M). 
Adversary. As usual in the context of the Shannon and random oracle models, 
we consider a computationally unbounded adversary with access to either a 
Shannon or a random oracle. The adversary’s “running time” is determined by 
her number of oracle queries. Our adversaries are probabilistic algorithms, and 
we concentrate on the expected running time (i.e., the expected number of oracle 
queries). We will describe the running time asymptotically. When necessary for 
clarity, we use the symbols O (“big- Oh”, for “the expected running time is 
asymptotically at most”) and O (“big-Omega”, for “. . . at least”). 2 
Classes of Attacks. Informally, a real hash function H should behave like an 
ideal one (i.e., like a random oracle). This would not be useful for a formal 
definition, though (see [4]). Instead, one considers somewhat simpler security 
goals for H : {0, 1}* — * {0, 1}". We consider the following classes of attacks: 

A-collision for K > 2: Find K different M\ with H(M 1 ) = ■■■ = H(M K ). 

K- way (2nd) preimage for K > 1: Given Y (or M with H(M) = Y), find K 
different messages M l , with H{M l ) = Y (and M l M). 

2nd collision: Given any collision B with H(A) = H(B), find C,D with 
C <£ {A, B, D} and H(C) = H(D). 

The first two classes include “traditional” 2-collisions, 1-way preimages and 1- 
way 2nd preimages. Some applications need protection against the large- in- 
variants, e.g., [10,23,3]. The third class deals with a very natural assumption 
for “good” hash functions: even if the adversary somehow - with a great deal of 
luck, by doing much computational work, or by a mixture of both - has found 
one collision, it should still be hard to find another one. The poor defence of 
established hash functions against such attacks has been elaborated above. 
Facts. Our analysis uses the following facts: 

1. Fact: Finding a K-collision for a fixed size random oracle C : {0, l} n+m — * 
{0, 1}" or for a variably- sized random oracle Model H : {0, 1}* — > {0, 1}" 
takes time Q{ 2^ K ~ 1 l n / K ), and finding a K-way preimage or a K-way 2nd 
preimage for H or C takes time f2(K 2"). 

2. Fact: Given a collision A ^ B with C(A) = C(B) for a fixed size random 
oracle (7{0, l}”+ m — > {0, 1}” (or H (A) = H(B) for a variably- sized random 
oracle H{ 0, 1}* — > {0, l} n ), finding a 2nd collision C ± D, C 0 {A,B} for 
C (or H) takes time f?(2"/ 2 ). 

2 Recall / = O(g), if a constant c exists, such that f(n) < cg(n) holds for all large 
enough n, and / = f2(g), if a c exists such that /(n) > cg(n) for all large enough n. 
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Initial Values. Like the MD hash, our hash functions depend on the compres- 
sion function(s) and an initial value (IV). One can set the IV to some fixed 
(“random”) constant. But for our analysis, we will even allow the adversary to 
actually choose the IV. 3 This makes our results all the more meaningful. 
Standard Model Formalism. For a fixed hash function H : {0, 1}* — > {0, 1}", 
trivial algorithms to “find” collisions exist: given any M ^ M' with H(M) = 
H(M'), output M and M'. Collision resistance implies the non-existence of 
algorithms to “find” collisions. Thus, for a standard model proof of collision 
resistance, we must refine our formalism. Instead of a fixed hash function, we 
actually consider a hash function family H : X x {0, 1}* — > {0, 1}”. Here, T is 
a finite nonempty set of indices (or “keys”). We assume an index t* el being 
chosen uniformly at random, write H(-) instead of H(i* . •) and consider the fixed 
hash function H : {0, 1}* — » {0, 1}" as a random member of its family. 

Fix some RAM model of computation. In any attack game, the adversary 
is given i* as its first input. We measure the adversary’s expected running time 
over uniformly distributed random i* (and the adversary’s internal coin flips, if 
applicable). To capture a trivial adversary using huge tables, the running time 
of any program is assumed to be at least linear in the program size. 

We formalise compression functions C exactly like hash functions: assume 
a family C : Ic x {0, 1}“ — > {0, l} 5 and an index i° G 1 c chosen uniformly 
at random, write C(-) instead of C(i c , •), and consider the fixed compression 
function C : {0, 1}“ — > {0, l} 3 as a random member of its family. An adversary’s 
running time is taken over random i c . If H is defined by iterating C, a random 
member of the hash family H is defined by i c and some random initial value Hq, 
i.e., i* = ( i c ,H 0 ). Similarly, if H is constructed by applying C' and C", then 
i* = (i c , i c -Ho). Recall that in our attacks we even allow the adversary to 
choose Ho. The adversary can make this choice after being given i c or (i c ,i c ). 

2 The Wide-Pipe Hash: A Modified MD Hash 

Constructing a collision-resistant compression function with w > n output bits 
may be simpler than constructing an n-bit compression function with the same 
level of collision resistance. The wide-pipe hash uses such a w-bit compression 
function to generate an n-bit hash value at the end. 4 This approach defeats 
Joux’ attack - and even provides security against all generic R-collision attacks 
(which treat the compression function as a random oracle). Let Ho G {0, l} 1 " be 
a (random) initial value. Using two compression functions 

C : {0, 1} W x {0, l} m -► {0, 1}“ and C" : {0, 1} W -► {0, 1}", 
we compute the wide-pipe hash H : 

- For i G {1, . . . , L }: compute Hi := C"(Lfj_i, Mf). 

- Finally: set H(M) = C"(H L ). 

3 This is similar to the “aSec” and “aPre” notions of hash function security from [24]. 

4 This idea has independently been proposed by Finney in a mailing list [9] . 
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Fig. 2. The Wide-Pipe Hash 

For technical reasons, we need to distinguish between different kinds of col- 
lisions. Consider M ^ N with H(M) = H(N). M and N are expanded to 
sequences (Mi, . . . , M L ) ^ (Nj . . . . , N&). Denote Hf r and Ilf for the internal 
hash values when computing H(M ) and H(N). We define 

Final collisions: Hf £ Hf, but C"(Hf) = C"{Hf). 

Internal collisions: Hf = Hf,. (Note that an internal collision implies a col- 
lision for C', i.e., ± (iff, AT;) with C\Hf,Mi) = C'{Hf,Ni).) 

Finale-collisions: Any e-collision M 1 , ..., M K (with H(M 1 ) = ••• = 
H(M k )) is final, if all 2-collisions (M\ M j ) (with i ^ j) are final. 


2.1 Resistance Against e-Collision Attacks 

Observe that Joux finds 2 fc -collisions in time min{/c * 2 W / 2 , 2"( 2#:_1 )/ 2 |. This 
tightly describes the security of H, up to the (logarithmic) factor k. Define the 
composition f" : {0,1}™ X {0, l} m — > {0,1}" of C’ and C" by ) = 

C"(C'(H, M )), as indicated in Figure 2. Make the following two assumptions: 

1. C’ is collision resistant, and 2. f" is e-collision resistant. 

Under these assumptions, we prove the e-collision resistance of H. 5 For the 
concrete security analysis, we assume that finding a collision for C takes at 
least time T', and finding a e-collision for f" at least time T"(K). 

Lemma 1. An adversary needs J7(min{T / ,T" (e)}) units of time to find a K- 
collision for the wide-pipe Hash H, even if she can choose Ho- 

Proof. Any final e-collision is equivalent to a e-collision for f". On the other 
hand, if a e-collision for H is not a final e-collision, then an internal collision 
has been found. For all Ho, finding an internal collision is equivalent to finding 
a collision for C’ . Thus, finding a e-collision for H is at least as hard as finding 
either a e-collision for f" , or a collision for C. □ 

In the random oracle model, H is as secure against multi-collision attacks 
as an ideal hash for w > 2 n. 

8 It would seem natural to assume the e-collision resistance of C" . Indeed, f" is K- 
collision resistant if C' is collision resistant and C" is e-collision resistant. But even 
if C" is e-collision vulnerable, f" can still be e-collision resistant. E.g., model C' 
as a random oracle and set C" to be the plain truncation of w-bit inputs to n-bit 
outputs. For log 2 (e) < w — n, C" is trivially e-collision weak, but f" is not. 
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Theorem 2. Consider the wide-pipe hash H. Allow the adversary to choose Ho- 

1. Model C' and C" as independent random oracles. The adversary needs time 
l?(min{2 u, / 2 ,2"(' f!r_1 )/ if }) to find a K-collision for H. 

2. Define C" : {0,1}"' — ► {0,1 } n ,C"{xi,...,x w ) = (xi, .... x n ) as the n-hit 
truncation of its w-bit input. Model C' as a random oracle. The adversary 
needs time D(min{2 w ^ 2 ,2 n( - K ~ 1 ^ K }) to find a K-collision for H. 

Proof. Due to Lemma 1, finding a If -collision takes time J2(min {T',T"(K)}). 
By Fact 1, T' = 12(2"'/ 2 ). If C" is an independent random oracle, then T"(K) = 
Q{ 2 n ( K ~ 1 '>/ K ). If C" just truncates, then f" can be viewed as a random oracle 
with n output bits. Again, this gives T"(K) = f2(2 n( - K ~ 1 ^ K ). □ 

2.2 Resistance Against K- Way (2nd) Preimage Attacks 

Joux’ (2nd) preimage attack also works for the wide-pipe hash. Its time 0(k * 
2 W / 2 + 2") tightly bounds the security of H, up to the (logarithmic) k. Let T’ be 
a lower bound for finding collisions for C' (as before) and assume that finding 
K- way preimages for f" takes at least time P"(K). 

Lemma 3. Consider the wide-pipe hash H. Allow the adversary to choose Ho. 

1. The adversary needs time f2(P"( 1)) to find a single preimage for H. 

2. She needs time J7(min{T / , P"(K)}) to find a K-way preimage for H. 

Proof. Finding a preimage for H implies finding a preimage for f" . Finding a 
K- way preimage for H either implies finding at least one internal collision - and 
thus a collision for C' - or a K- way preimage for f". □ 

In the random oracle model, we also consider 2nd preimage attacks. 

Theorem 4. Consider the wide-pipe hash H. Model C’ and C" as independent 
random oracles. An adversary allowed to choose Ho needs 

1. time 12(2”) to find a single preimage for H, 

2. time l2(min{2"'/ 2 }) to find a K-way preimage for H, and 

3. time I2(min{2"'/ 2 , K 2”}) to find a K-way 2nd preimage for H. 

Proof. The first two bounds are direct consequences of Lemma 3 and Fact 1. 
Now consider 2nd preimages: given a random X £ {0, l}™, we are searching 
for one or more different X 1 £ {0,1}"' with C"(X) = C"(X l ). We choose an 
arbitrary message M with the expansion Mi, . . . , Ml, query the C'- oracle for 
the internal hash values Hi, . . . , Hl, and define 



Note that with overwhelming probability X ^ Hl ■ Now we run the adversary to 
find single or multiple 2nd preimages for M, replacing C" by C'" . Observe that 
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X is a random value, and, since C' is a random oracle, ify is random, too. Thus, 
C'" is a uniformly distributed random function just like C" - the adversary 
can’t distinguish between C" and C" . Our little manipulation (replacing C" by 
C'" for the adversary) does not affect the adversary’s probability of success or 
running time. We write H'" for the wide-pipe hash function using C' and C'" . 

If the adversary succeeds, she finds 2nd preimage(s) M l with H"'(M ) = 
H"'(M l ). We write L l for the length of the expansion of M l (in chunks). Consider 
the inputs iffy for C'" . If H l Li = Hl, we have found a collision for C ' . Else, H l Li 
is a 2nd preimage for C" . □ 

Increasing w improves the security of H against multiple (2nd) preimage attacks. 
But an adversary whose running time exceeds 2 U1 ^' 2 can still run Joux’ attack and 
benefit from the iterated structure of H. In fact, no hash function with some 
fixed internal state size w can be as secure against multiple (2nd) preimage 
attacks as an ideal hash. 


3 The Double-Pipe Hash 

There is one drawback for the wide-pipe design: its compression function C' 
needs a larger output and finding collisions for C' must be much harder than 
finding collisions for the hash function itself. It would be interesting to use a 
compression function which only has to satisfy essentially the same security 
requirements as the hash. For instance, if we assume the internal compression 
function of, SHA-1, RIPEMD-160, or SHA-256 to be as secure as an ideal 160-bit 
(256-bit for SHA-256) compression function, can we construct some variant to 
improve security? Note that the SHA-1 and RIPEMD-160 compression functions 
can be written as C : {0, l} 160 x {0, l} 512 — > (0, l} 160 , their SHA-256 counterpart 
as C : {0, l} 256 x {0, l} 512 — > {0, l} 256 . Thus, the following construction would 
be applicable to all of them: Using one single narrow-pipe compression function 
C : {0, 1}" x {0, l) r ‘+ m — > {0, 1}", with m> n and two distinct (random) initial 
values H' 0 fy IJq G {0, 1}", we compute the double-pipe hash H J) : 

— For i € {1, . . . , L — 1}: compute 

• H[ := C'(H?_ 1 ,fl^ 1 |(M i ) and 

• H'l ~ 

- Finally: H D (M) := 0(11'^, H'^Ml) 

So in H d (M), we have replaced the wide-pipe chaining values Hj_i G {0, 1}™ 
by pairs Ff'fy) G ({0, l}") 2 . In each iteration, the value H{ = . 

H'l x 1 1 Mi) - one half of the new chaining value - functionally depends on both 
halfs H' i _ 1 and H"_ 1 of the old chaining value (similarly for H"). This is vi- 
tal for the security of the double-pipe hash. Otherwise, H D (M) would degen- 
erate into the cascade of two hash functions, thus being vulnerable to Joux’ 
attack. 
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Fig. 3. The Double-Pipe Hash 

3.1 Security Against Multiple Collision Attacks 

In principle, the double-pipe hash is a special case of the wide-pipe hash with 
w = 2n and G (FT , H" \ \M) « { lt H?_ x \ \ Mf ) , v H{_ x \ \M t ) ) , where 

C"(H', H") = H' simply truncates 2 n input bits to n output bits. (Thus, we 
do not need to compute the value H" := C(H' L ^ . ^ \\M /J, as indicated 

in Figure 3.) Similarly to our analysis of the wide-pipe design, we distinguish 
internal collisions from final ones. The improved security of the wide-pipe hash 
over the plain MD hash depends on internal collision resistance being much 
stronger than final collision resistance. Unfortunately, this reasoning does not 
hold for the double-pipe construction. Finding internal collisions with H' = H" 
and G' = G" may be as “easy” as finding collisions for C, i.e., as finding final 
collisions. To deal with this, we define two special cases of internal collisions, in 
addition to considering A'-collisions, and make the following three assumptions: 

1. It is infeasible to find a strict (internal) collision for C , i.e., two triples 
(#', H", M) ^ (G', G", N) with H' ± H" and G' ^ G" , but 
G{H",H'\\M) = C{G",G , \\N) and C(H' ,H"\\M) = C{G' ,G"\\N). 

2. It is infeasible to find an (internal) cross collision for C: a triple (H ' , 
H", M), with H’ ± H" but C(H', H"\\M) = C{H" ,H'\\Mi). 

3. It is infeasible to find K -collisions for C. 

We will prove H n to be secure under the above three assumptions. While 
dealing with strict or cross collisions is unusual in cryptography, these assump- 
tions appear to be natural and reasonable. We analyse the feasibility of finding 
strict or cross collisions for a random oracle C. For the concrete security analy- 
sis, we assume that finding strict collisions takes at least time Tg, finding cross 
collisions at least time Tx, and finding A-collisions at least time T(K). 

Theorem 5. If we model the compression function C as a random oracle, then 
finding cross collisions for G needs time Tx = 12(2"), and finding strict collisions 
for C needs time Tg = 12(2"), 

Proof. First, consider T\. Any triple ( ) can only be part of a cross 
collision, if H' ± H" and C{H', H"\\M) = C{H " , H'\\M),i.e., with a probability 
of 2“" (for H' ^2 H"). Thus, we expect to make Tx = 12(2") oracle queries to 
find a cross collision. 
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Now consider Tg. For any triple (G' , G" , M) with G' ^G", the pair (H 1 , H") G 
{0,1} 2 " with H' = C(G',G"\\M ) and H" = C(G",G'\\M) is a uniformly dis- 
tributed 2n-bit random value, chosen independently from all the other C(-, - Up- 
values. If the adversary chooses q different triples (G',G",M) and makes q 
queries to the (7-oracle, then her probability to succeed is Ylo<j< q j/^ 2n = 
l7(g 2 /2 2n ). Thus, we expect to make Tg = g = 17(2”) oracle queries to find 
a strict collision. □ 

Lemma 6. Consider iJ D . Allow the adversary to choose H' 0 H{f. 

1. Any internal collision for reduces to a strict or to a cross collision. 

2. The adversary needs time l7(min{Tg, Tx, T(K)}) to find a K-collision. 

Proof. For the first claim, observe that the initial values Hq and H(f are different. 
Any non-strict internal collision implies a triple (H' , . H”_ x , Mf) with H '_ , = 
H"_ x . This implies the existence of a cross-colliding triple (//', H " , Mj +X ), with 
j < i- 2, HI ± H>>, and H> +1 = C(H',H''\\M j+1 ) = C(H' r , H'\\M j+1 ) = Hfa. 
Thus, any non-strict internal collision implies a cross colhsion. 

For claim 2, we argue as in the proof of Lemma 1. A it'-collision for H° either 
reduces to a final A'-collision (taking time T(K)), or to an internal collision. By 
the first claim, an internal collision is either strict (taking time Tg), or is a cross 
collision (taking time Tx). □ 

Theorem 7. Consider and model C as a random oracle. An adversary 
who can choose H' 0 ^ Hq needs time f2(2 n( - K ~ 1 ^ K ) to find K -collisions. 

Proof. The result follows from Theorem 5, Lemma 6, and Fact 1. □ 

3.2 Resistance Against K - Way (2nd) Preimage Attacks 

Our treatment of K- way (2nd) preimage attacks is quite similar to Section 2.2. 
Let Tg and Tx be defined as above and assume finding preimages for C to take 
at least time -P(l). 

Lemma 8. Consider i? D . Allow the adversary to choose Hq ^ Hq. 

1. To find a single preimage, the adversary needs time J7(P(1)). 

2. To find K-way preimages, the adversary needs time l7(min{Tg,Tx,T(A)}). 

Proof. Claim 1: See proof of Lemma 3 with /"(-, -||-) := C(-,-||-). Claim 2 follows 
from claim 1 of Lemma 6. Note that a K- way preimage also is a A'-collision. □ 

Theorem 9. Consider the double-pipe hash iJ D . Model the compression func- 
tion G as a random oracle. An adversary who can choose Ho needs time 17(2") 
for finding a single or K-way preimage or a single or K-way 2nd preimage. 

The proof of Theorem 9 is quite similar to the proof of Theorem 12 below. 

Our results indicate that in the random oracle model, the double-pipe hash 
R d is asymptotically as secure as the wide-pipe hash with w = 2 n. 
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4 Davies-Meyer (DM) Compression Functions 

If we trust an existing MD-hash to meet its security goal, it seems reasonable to 
use its compression function as the building-block C for the double-pipe hash. 
But most practical hash (or rather, compression) functions (including the SHA- 
family of hash functions, see Table 1) suffer from a specific structural weakness: 
They use a block cipher like function E : (0, l}" +m X {0, 1}” — ► {0, 1}", i.e., that 
for each “key” K e {0, l}"+ m the function E(K, •) permutates over {0, 1}", and 
both E(M,-) and its inverse can efficiently be computed. A DM compression 
function C : {0, 1}" x {0, 1}" +T " — > {0, 1}" is defined as follows: 

0{Hi -\ , Mi) = E(M it Hi_ i) + Hi- 1. 

(Here “+” is any group operation over {0, l} n .) The ability to efficiently com- 
pute Em 1 (') can be useful for the adversary, see e.g. Kelsey and Schneier [13] 
for examples. Thus, we have to extend our formalism for the security proofs 
accordingly - by considering a Shannon oracle, instead of a random oracle. 


4.1 Double-Pipe Hash with DM Compression Function 

Some generic attacks against hash functions don’t apply in the random oracle 
model, but are feasible in the Shannon model [13]. Fortunately, this does not pose 
a problem for the double-pipe hash. Those parts of our analysis of the double- 
pipe hash which do not assume random oracles are still relevant and applicable. 6 
However, trusting those parts of our analysis which treat C as a random oracle 
would be risky. For this reason, we additionally analyse the double-pipe hash in 
the Shannon-model. See Appendix A for the proofs of the Theorems below. 

Theorem 10. Consider a DM compression function C . If we model E by a 
Shannon oracle, then T\ = 12(2") and Tg = 12(2"). 

Theorem 11. Consider with a DM compression function C . If we model 
E by a Shannon oracle, then finding K-collisions takes time Q(2^ n ~ 1 ^ K ~ 1 ^ K ) . 

Theorem 12. Consider _ff D with a DM compression function C . If we model 
E by a Shannon oracle, then finding a single or K-way preimage or a single or 
K-way 2nd preimage takes time P(l) = 12(2"). 

5 Resistance Against 2nd Collision Attacks 

Note that our definition of a 2nd collision attack assumes the adversary to be 
given the first collision essentially “for free”. This is difficult to handle in the 
standard model. Thus, we concentrate on the random oracle model. 

6 Observe that the “DM compression function” is the function C with some specific 
non-random property. Given such C, the definition of H° is the same. 
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In general, our hash designs do not protect against 2nd collision attacks: 
given an internal collision, attacking the wide-pipe or double-pipe hash is as easy 
as attacking the MD hash. Our design rationale, however, has been to defend 
against internal collisions, leaving final collisions as the “dotted line” , where the 
hash function is likely to break (if it breaks at all). This is the foundation for 
the security proofs in the previous sections. In the remainder of this section, we 
thus focus on the specific case that the adversary is only given a final collision. 

5.1 Wide-Pipe Hash: 2nd Collision Resistance 

Consider the following attack: fix Ho, choose two incomplete expanded messages 
(Mi, . . . , Ml- i) and (iVi, . . . , Nl'-i), defining some pre-final internal states 
Hj*_ ± and l , receive a first collision and finally provide a 2nd collision. The 
first collision is defined by Ml, Nl> such that the hash collides, but C does not: 

f"{H^_i, M l ) = f"(H^,_ 1 , N L '-i) but C\H^,Ml) = C"^^, A^j) 

In this section, we consider an attack game giving the adversary even more 
freedom: choose any Hff_ 1 and Hff,_ 1 , receive Ml,Nl> for a first collision as 
above, and provide any four messages A,B,C,D £ {0,1}*, A ^ B, C ^ D, 
H{A) = H(B), H(C) = H{D), with C £ {A, B, D}. 

Theorem 13. Consider the wide-pipe hash H. Model C' as a random oracle. If 
C" either is an independent random oracle, or the n-bit truncation of its w-bit 
input, the adversary needs time J?(2"/ 2 ) to win the 2nd collision game for H. 

Proof (Sketch). Recall that we have got a first collision for f", but no collision 
for C' . Finding messages A, B , C, D £ {0, 1}* as required implies finding 

— an internal collision (a collision for C'), taking time I2(2 W/ " 2 ) > f2(2"/ 2 ), 

— or a 2nd collision for /", namely intermediate hashes Ha, Hb, He, Ho 
£ {0, 1}“', and final message blocks Ma, M b , Me, M D £ {0, l} m with 

(H A ,M A ) jt (H b ,Mb), 

(H c , M c ) ? {(H A ,M A ), ( H B ,M B ), (H D ,M D )}, 
f"{H A ,M A ) = f"(H B ,M B ), and f"(Hc,M c ) = f"(H D ,M D ). 

We argue that finding a 2nd collision for f" would take time I2( 2"). If the 2nd 
collision for f" includes a collision for C' , then we need time time Q(T ,! / 2 ) to 
find it. Else, the 2nd collision is still as hard to find as a 2nd collision for any 
n-bit random oracle - both when C" is an independent random oracle and when 
C" plainly truncates -, thus taking time 17(2"/ 2 ), see Fact 2. □ 


5.2 The Double-Pipe Hash: 2nd Collision Resistance 

We adapt the attack game from above to the double-pipe hash: choose four 
arbitrary pairs G' 7^ G" ,H' H" G {0,1}", receive M, N £ {0, l} m with 
C{G',G"\\M) = C(H' , H"\\N), and provide A,B,C,D G {0,1}*, with A^B, 
G^D, H d (A) = H d (B), H d (C) = H d (D), and C (jL {A, B, D}. 
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Theorem 14. Consider the double-pipe hash . Model C as a random oracle. 
The adversary needs time f2(2"/ 2 ) to win the 2nd collision game for H D . 

Proof (Sketch). As above, finding such A,B,C,D G {0,1}* with A B and 
C $ {A, B. D}, implies finding 

— either an internal collision, taking time 12(2") (— ► Lemma 6, Theorem 5) 

— or intermediate hashes H' A , H" A . H' n . H'^. H' c . Hq, H' d , H'f G {0,1}" 
and final message blocks M A ,M B ,Mc,M D G {0, l} m with 

(Ha,H a \\M a ) ^ (H' b ,H b \\M b }, 

{H' C : Hq\\M c ) * { (H' a ,H a \\Ma), {H' b ,Hb\\M b ), (H' d , H b \\Md) }, 
C(H' A ,H'i\\M A ) = C(H' b , H b \\M b ), and 
C(H' c , Hq\\Mc) = C(H' d ,H^\\M d ). 

The intermediate hashes and message blocks constitute a 2nd preimage for C. 
According to Fact 2, finding such a 2nd preimage takes time 12(2"/ 2 ). □ 

Theorem 15. Consider H u with a DM compression function C. Model E by a 
Shannon oracle. Winning the 2nd collision game takes time 12(2" //2 ). 

See Appendix A for a sketch of the proof. 

6 Discussion 

A Variant of the double-pipe hash. To reduce the set of cryptographic 
assumptions, Preneel [21] proposed to use C : {0, 1} X {0, 1}" X {0, l}”+ m — ► 
{0,1}" with one extra bit of input. Set H[ := (7(0, H [_ l , H"_ l | |M, : ), H" := 
<7(1, H'-iHMi), and finally Hash(M) := <7(0, H'I^WMl). Proofs of 
security for this variant of the double-pipe hash are very similar to the proofs for 
iJ D itself, but without the need to assume finding cross collisions to be infeasible. 
Two Independent Security Parameters. The main lesson from [11,13] and 
the current paper is that the internal state size w of an iterated hash function 
should be seen as a security parameter of its own right. 

Any security architect choosing parameters for a cryptographic hash should 
choose both w and n according to her specific security requirements. For an 
application where even a single hash collision would be the ultimate disaster, 
w = n suffices. If, on the other hand, additional multi-collisions or (multiple or 
single) preimages or 2nd preimages or feasible 2nd collisions would turn things 
from bad to worse, iu>nis recommendable, due to an improved failure mode. 
2nd Collision Resistance. For applications such as digital signatures, 2nd 
collision resistance can have a huge impact on practical security. Our construc- 
tions are reasonably 2nd collision resistant. E.g., a double-pipe hash using the 
MD5 compression function would fail collision resistance due to [26] , but for the 
double-pipe hash, this attack could only be used to generate final collisions. Ac- 
cordingly, this double-pipe hash still defeats known exploits that make collisions 
“meaningful” [12,17,14,15,7]. 
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Cascading. The idea to improve the security of hash functions by cascading has 
been discussed for a long time, see, e.g., [20]. Cascading looks like an obvious 
technique to improve the security of hash functions - but due to Joux’ attack, 
cascading iterated hash functions is not that useful. On the other hand, the 
double-pipe construction can be seen as a cascade of compression functions. To 
this end, our double-pipe construction provides a theoretically sound technique 
to cascade compression functions instead of the complete hash functions. 
Summary. This paper takes an abstract and proof-centric look at the design 
of hash functions. Similarly to [2], we consider our work a “feasible and useful 
step for understanding the security” of iterated hash functions, thereby com- 
plementing the attack-centric approach [11,13]. In the spirit of Merkle [16] and 
Damgard [6], this paper shows how to compose “good” hash functions, given 
“good” compression functions. We provide standard model explanations, what 
it means for the compression function to be “good”. Additionally, we analyse 
the security of our constructions in the random oracle and Shannon model. 
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Appendix 

A Security of Double-Pipe Hash with Davies-Meyer 

A.l Conventions 

In this section, we analyse the security of the double-pipe hash with a Davies- 

Meyer compression function. The adversary A has access to a Shannon oracle 

for E and E~ l . Similarly to [2], we assume: 

— A never asks a query for which the response is already known. Namely, if 
A asks for Ek{x) and receives y, she neither asks for E^ 1 {y), nor for Ek(x) 
again. Similarly, if she has asked for E^ 1 (y) and received x. 

— Recall that for the type of attacks we consider, a successful adversary always 
outputs one or more messages M l , which either collide or constitute some 
(2nd) preimages. Before finishing, the adversary makes all the oracle calls to 
compute all hash values 
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- We define a simulator, to respond to A’s oracle queries: 

• Initially: 

* set i := 0; clear the logbook; 

* for all (k,x): mark E k (x) as undefined; 

• At any time, domain^*,) denotes the set of points x where E k (x) is still 
undefined. Similarly we write RANGE(£'fc), for the set of points y where 
Ejf 1 (y) is still undefined. 

• Responding to an oracle query E k (x): 

* set * := * + 1 

* randomly choose y from RANGE (E k ) 

* append ( Xi,ki,yi ) := ( x,k,y ) to the logbook; 

* respond y; 

• Responding to an oracle query E^ l (y): 

* set i := i + 1 

* randomly choose x from DOMAIn(T/ ; ) 

* append ( Xi,ki,yi ) := ( x,k,y ) to the logbook; 

* respond x ; 

For our proofs, we will discuss the logbook entries (aq, k i: yi ). 

This is without loss of generality: any adversary not following the first two 
conventions can easily be transformed into an equivalent one following them. And 
an adversary following the first two conventions cannot distinguish the simulator 
from a “true” Shannon oracle. 


A. 2 Internal Collisions 

Theorem 10. Consider a DM compression function C . If we model E by a 
Shannon oracle, then T\ = i?(2") and Tg = 12(2"). 

Proof. For the proof, we assume that the adversary does not make more than 
q < 2 n ~ 1 queries. This is technically correct, since 2 n ~ 1 = 17(2"). 

Time Tx to find cross collisions: a cross collision is described by H[_ l ^ 
H"_i, Mi with 

= Him H” = CiH'^H'i^WMi). (1) 

In time q, we can check at most q/2 such triples {H[_ 1 , H"_ 1 , Mi) for cross 
collisions. Now we argue that for q < 2 n ~ 1 , for each such triple the probability 
p x to satisfy Equation 1 is at most l/2 n_1 . This implies that the expected 
number of oracle queries we need to make before we get the first cross collision 
is Tx = f?(2 n ), as claimed. 

We still have to show p x < 2 n ~ 1 . If the adversary’s answer involves a cross 
collision, then, by the above conventions, the simulator’s logbook contains two 
triples ( x a , k a , y a ) and (xb, kb, yb) with a^b, 

x a = H[_ x , k a = {H'UWMi), y a = E ka {x a ), 

Xb = H'l_ x , k b = {H-^WMi), and y b = E kb (x b ). 
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Thus, we can rewrite Equation 1 


E k a {x a ) +Xa = E kb ( Xb ) +x b , 


which corresponds to 

Va + x a = Vb + %b- (2) 

If (w.l.o.g.) a < b, then either y b or x; b is a uniformly distributed random value 
from a huge subset of {0, l} n : 

— If the b-th oracle query has been Eh b (x b ), then y b is a random value from RANGE(f?fc b ) . 

— Else x b is a random value from domain {Ek b ). 

Since Irange^JI = |DOMAiN(E fc J| = 2 n -b+l > 2 n -q, and due to q < 2 n ~ 1 , 
we get p x < 1/2" -1 , as claimed. 

Time T$ to find strict collisions: for triples ( G',G",M ) with G' ^ G" , we 
consider pairs ( H' ,H ") e {0, l} 2n , where 

H' = C(G',G"\\M) and H" = C(G",G'\\M). (3) 

A strict collision consists of such a triple ( G G", M) and another triple ( F F " , N) ^ 
{G',G",M) with 

C(F',F"\\N) = H' and C(F" , F'\\N) = H" . (4) 

After q oracle queries, there are G(q 2 ) pairs ((G', G", M),(F F" , N)) of triples. 
We claim that for q < 2 n ~ 1 , the probability p s to satisfy Equation 4 is p s < 
l/ 22 (n-i) Hence, the expected number of oracle queries to get a strict collision 
is T s = G{ 2"). 

It remains to prove p s < l/2 2 ^ n ~ 1 \ Consider a triple (x a . k a . y a ) with x a = 
G', k a = (G"\\M), and y a = Ek a ( x a ) from the simulator’s logfile. We only have 
a chance for a strict collision if the logfile contains another triple (x b . k b , y b ) with 
x b = G", k b = (G'||M), and y b = E kh (x b )- Note that x b and k b are rmiquely 
determined by x a and k a , and vice versa. Equation 3 can then be rewritten as 

H' = Ek a ( x a ) +x a = y a +x a and H" = Ek b {xb) + x b = y b + x b . 

A strict collision implies another triple (F 1 , F " , N) to satisfy Equation 4. This 
corresponds to two more triples ( x c , k c , y c ) and (a ;<i, kd, yd) on the server’s logfile 
with 

H' = y a + x a = y c + x c (5) 

H" = y b + x b = yd + x d . (6) 

Both equations are of the same type as Equation 2. As in that context, we argue 
that due to q < 2 n ~ 1 the probability for Eq. 5 to hold is no more than l/2 n_1 ; 
similarly for Eq. 6. More importantly, the conditional probability to satisfy Eq. 
6, assuming Eq. 5 is at most l/2 n_1 . Thus, the joint probability p s for both Eq. 
5 and Eq. 6 is p s < l/2 2 ( n ~ 1 \ □ 
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A. 3 Resistance Against R-Collision Attacks 

Theorem 11. Consider H D with a DM compression function C . If we model 
E by a Shannon oracle, then finding K -collisions takes time 12(2 

Proof. Due to the first claim of Lemma 6 and Theorem 10, we know that an 
internal collision would take time 17(2"). Thus, in time f2(2^ n ~ 1 ^ K ~ 1 ^ K ) we 
cannot expect to find any internal collision. The only chance to find a K - way 
collision for H is finding a final A-collision, which takes time T(K). In the 
remainder of this proof, we show T(K) = I2(2^ n ~ 1 ^ K ~ 1 )/ K ). As in the proof of 
Theorem 10, we assume q < 2" _1 = 12(2"). 

A final J\ -collision consists of K different triples with (G l , H l . M l ) with 

C(G 1 ,H 1 \\M 1 ) = ■■■ = C(G K , H k \\M k ). 

By the above conventions, this implies that there are K triples (x\, k \ , yf), . . . , 
(. Xk , hfc, Vk) in the simulator’s logbook with 


3/1 VK 

EkAxi) +xi =■■■ = E kK (x K ) +x K - 

These are K stuns x, + y, , and similarly to the proof of Theorem 10, for each such 
sum either Xi or has been chosen from a huge subset (0, 1}". Since q < 2" _1 , 
the size of this subset exceeds 2" — q > 2" _1 . For this reason, we expect to make 
T(K ) = f2(2( n ~ 1 ^ K ~ 1 W K ) Shannon oracle queries for a A-collision. □ 


A. 4 Resistance Against K - way (2nd) Preimage Attacks 

Theorem 12. Consider P D with a DM compression function C. If we model 
E by a Shannon oracle, then finding a single or K-way preimage or a single or 
K-way 2nd preimage takes time -P(l) = 17(2"). 

Proof. As in some of the proofs above, we assume q < 2" _1 . 

Finding K - way (2nd) preimages isn’t faster than finding single (2nd) preim- 
ages. Thus, we concentrate on single ones. 

First, we start with singe preimages. Due to Lemma 8, finding a single 
preimage for the hash P D takes time 12(P(1)), i.e., is asymptotically not faster 
than finding a preimage for the compression function C(K,X ) = Ek(X) + X. 
Let a target Z be given, and an adversary is trying to find K and X with 
C(K, X) = Ek(X) + X = Z. By the above conventions, this corresponds to an 
entry (xi, ki, yf) in the simulator’s logbook with Xi + yi = Z, and either x, or 
yi has been chosen from a huge subset of (0, 1}" of size > 2" — q > 2 n_1 . Thus, 
for each query to the Shannon oracle, the probability to find a preimage for Z 
is at most 2" -1 , and we expect to make P(l) = 17(2") such queries to find such 
a preimage. 
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Now consider 2nd preimages: assume an algorithm to find 2nd preimages 
for iJ D . Consider we are given (K. N) and searching for some 2nd preimage 
(K', N') ± ( K,N ) with 

C(K',N') = E k ,{N') + N' = E k (N) + N = C(K,N). 

The following technique resembles the proof of Theorem 4. We choose some mes- 
sage M, expand it to (Mi, . . . , M L ) and accordingly compute the internal hashes 
H[, H", . . . , H' l ^ g, H'} ^ . Assume 

( K,N ) £ {(Hi, H"\\Mf), (H" \\HlWMi) | 1 < i < L} (this holds with overwhelm- 
ing probability). 

Set iV -1 := Eff(Z — N) and define the function E' : (0, 1}" x {0, l}" +m — > 
{0,1}”: 

E' k (N) = Z — N 
E , k (N~ 1 ) = E K (N) 

Eq{R) = E q {R) for (Q, R) £ {(K, N), (K, A' -1 )}. 

Now we run the adversary, replacing the (Shannon-) oracle for E and E~ x by 
an oracle for E' and its inverse. Observe that for the adversary H T> {M) = Z 
holds. Further, both E and E ’ are random permutations over {0, 1}", so the 
adversary’s chances of success are not affected by the change from E to E’. 

Assume the adversary succeeds in finding a 2nd preimage M for M. Write 
(Mi, . . . , M-j-) for the expansion of M and H[ , H” , . . . , HL — HE— for the 
internal hashes. 

- If (J/L_. HE- p M~) = (H' l _ 1 , H'l_ 1 , M l ), then the adversary has found an 
internal collision. From above, we know that this needs time min{Tx, Tg} = 
Q{ 2 "). 

— Otherwise, (//L — Hj — Mjj) is a preimage for Z. From above, we know 
that this takes time P(l) = 12(2”). 

Thus, in order to find a 2nd preimage for H, the adversary either has to find 
an internal collision, or a 2nd preimage for C, and solving either problem takes 
time 12(2"). □ 

A. 5 2nd Collision Resistance 

Theorem 15. Consider with a DM compression function C. Model E by 
a Shannon oracle. Winning the 2nd collision game takes time 12(2"/ 2 ). 

Proof (Sketch). Recall the proof of Theorem 14. A 2nd collision for i? D either 
implies an internal collision or a 2nd preimage for C. Finding an internal collision 
reduces to strict or internal collisions, thus taking time 12(2") (— > Theorem 10). 

We still have to show that finding 2nd collisions for C takes time 12 (2"/ 2 ). 
From Theorem 11, we know that finding (first) collisions (i.e., A-collisions with 
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K = 2) takes time f2( 2”/ 2 ). In the proof of Theorem 11, finding such collisions 
for C is shown equivalent to the following task: 

find xi,ki,X 2 ,k 2 with Ek^xx) + xi = E k3 (x%) + X 2 , 
and ^ (® 2 ,fe)- 


Similarly, finding 2nd collisions for C is equivalent to the task: 


given 


find 


, kb with E ka ( x a ) + x a = Ek b ( Xb ) + Xb 

with (xi,ki) ^ (x 2 , fe), 

, kd with E kc (x c ) +x c = E kd (xd) + Xd, 
and (x a ,k„) ^ (xb,kb), 

and (x c ,k c ) £ { (x a ,k a ),(xb,kb),(x c ,k c ) }. 


Regarding the second task, we replace the family E of permutations by a modi- 
fied family E 

— Randomly choose x a ,k a ,Xb,kb- Assume k„ ^ kb (this is overwhelmingly 
probable). 

— Compute y* := E kb (xb) + x k - x a and x* := E ka (y*). 

— Set E' ka (x a ) := y* and E ka (x*) := E ka (x„). Otherwise, E' behaves identical 
to E. 

— Observe E ka (x a ) + x a = E' kb ( y k ). Given such x a . k a . x k , kb, solve the second 
collision task for E' instead of E. The solution is x c , k c , Xd, kd as above. 

With significant probability, we have {( x c , k c ), (xd, kd)} O { (x a . k a ), (x* , k a )} = 
{}. In this case, our 2nd collision for E' is a first collision for E. Thus, our 
proof reveals a technique to efficiently find collisions for C, if one can find 2nd 
collisions. Due to Theorem 11, finding such collisions takes time fi{ 2"/ 2 ). □ 


B Examples 

The SHA standard. Two of the five SHA-* hash functions [19], namely SHA- 
224 and -384, have already been designed according to this paper’s “wide-pipe” 
paradigm, see Table 1. Of course, the authors of SHA-224 and -384 where to 
reuse existing compression functions, but they could have done so - improving 
the hash function’s performance - by truncating the internal hash values to 224 
or 348 bit and extending the message chunk size by 256-224=32 or 512-348=128 
bit. Our results provides some formal (“after the fact”) justification for the design 
of SHA-224 and -348. 

A natural choice for the parameters w and n would, however, be w = 2 n. As 
an example for the wide-pipe hash, we could set C' := (SHA-512 compression 
function) and C" := (SHA-256 compression function) to define a 256-bit hash 
with an internal hash size of w = 512. For large messages, this 256-bit hash 
would be about as fast as SHA-512. As an example for a 256-bit double-pipe 
hash, consider C := (SHA-256 compression function). The size of a SHA-256 
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Table 1. SHA standard hash functions and their parameters [19] 



final hash 
size n [bit] 

internal hash 
size w [bit] 

message chunk 
size [bit] 

uses compression 
function from 

SHA-1 

160 

160 

512 

(own) 

SHA-224 

224 

256 

512 

SHA-256 

SHA-256 

256 

256 

512 

(own) 

SHA-384 

384 

512 

1024 

SHA-512 

SHA-512 

512 

512 

1024 

(own) 


message chunk is m + n = 512, so the size of a double-pipe message chunk would 
be m = 512 — n = 256 bit. For large messages, double-piped SHA-256 would be 
about four times slower than plain SHA-256. Similarly, a double-piped SHA-1 
hash would be about three times slower than plain SHA-1. 7 
AES-based example for the double-pipe hash. Consider an AES-based 
MD hash U^g, using the AES block cipher in Davies-Meyer mode. The block 
size of * s th® AES block size: 128 bit. For applications which do not require 
collision resistance, it may be fine to use a 128-bit hash. But resistance against 
multi-collision attacks or 2nd preimage attacks could be a concern for these 
applications - and from the Joux and the Kelsey-Schneier attacks, we know that 
^aes ' s muc h less resistant against these attacks than we would expect from a 
128-bit hash. For a well funded and motivated adversary, it is possible to find, 
say, a 2 16 -collision for ff^g. This weakness does not much depend on the AES 
key size (either 128 bit, 192 bit, or 256 bit). 

In contrast to H\ gg, its double-pipe counterpart (only defined for the AES 
key size of 256 bit) provides much better protection against these attacks, as- 
suming the AES itself does not suffer from some still unknown cryptanalytic 
weaknesses. Even finding a 3-collision for a double-pipe 128-bit hash would take 
more than 2 80 units of running time and therefore seems to be infeasible today. 
The price for the improved security is a performance penalty by a factor of four, 
similarly to double-piped SHA-256. 


Note that sharing initial values between different hash functions is never recom- 
mendable. Thus, Hq and Hg should not be taken from [19]. 


Identity-Based Hierarchical Strongly 
Key-Insulated Encryption and Its Application 


Yumiko Hanaoka 1 , Goichiro Hanaoka 2 , Junji Shikata 3 , and Hideki Imai 2,4 

1 NTT DoCoMo, Inc 
yamamotoyumi@nttdocomo .co.jp 
2 Research Center for Information Security, 

National Institute of Advanced Industrial Science and Technology 
hanaoka-goichiroQaist .go.jp 
3 Graduate School of Environment and Information Sciences, 
Yokohama National University 
shikataOmlab . jks . ynu .ac.jp 
4 Institute of Industrial Science, University of Tokyo 
imaiSiis .u-tokyo .ac.jp 


Abstract. In this paper, we discuss non-interactive updating of decryp- 
tion keys in identity-based encryption (IBE). In practice, key revocation 
is a necessary and inevitable process and IBE is no exception when it 
comes to having to manage revocation of decryption keys without losing 
its merits in efficiency. Our main contribution of this paper is to pro- 
pose novel constructions of IBE where a decryption key can be renewed 
without having to make changes to its public key, i.e. user’s identity. We 
achieve this by extending the hierarchical IBE (HIBE). Regarding se- 
curity, we address semantic security against adaptive chosen ciphertext 
attacks for a very strong attack environment that models all possible 
types of key exposures in the random oracle model. In addition to this, 
we show method of constructing a partially collusion resistant HIBE from 
arbitrary IBE in the random oracle model. By combining both results, 
we can construct an IBE with non-interactive key update from only an 
arbitrary IBE. 

1 Introduction 

Background. As to our best of knowledge, current public key infrastructures 
involve complex construction of certification authorities (CA), consequently re- 
quiring expensive communication and computation costs for certificate verifi- 
cation. In 1984, Shamir introduced an innovative concept called identity-based 
encryption (IBE) [25] (later actualized in [7]) where any public key is determined 
as an arbitrary string, e.g. user’s name, e-mail address, etc. which simplifies 
certificate management in public key infrastructures. In this paper, we address 
non-interactive updating of user’s decryption key in IBE. Revocation and re- 
newal of decryption key is a necessary process carried out in practice, and so, 
designing of IBE which allows renewal and updating of decryption keys without 
losing its merits in efficiency will have considerable implications in the practical 
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crypto-infrastructure. One application of IBE is of a mobile phone scenario, in 
which case, phone number represents the user identity. It will be both simple and 
convenient for the mobile phone users to be able to communicate and identify 
each other by their phone numbers only. The users will also want to keep their 
phone numbers as fixed identities, and therefore, it is necessary to be able to 
renew and update the decryption key in a way its corresponding public key will 
be unchanged. As you can see, in practical situations as seen in this scenario, 
such problem of IBE can be critical. Our main objective is to solve this problem. 
Our Results. Our main contribution of this paper is to propose novel con- 
structions of IBE where a decryption key can be renewed without having to make 
changes to its public key, i.e. user’s identity. We start by discussing the impos- 
sibility of dealing with such a problem in the conventional IBE model, followed 
by introducing a new IBE model which makes this possible. Based on the new 
model, we construct a new IBE in which a decryption key can be updated “non- 
interactively” , that is, allow user to renew and update his decryption key without 
any help from the central authority, and most importantly, without having to change 
his identity. In our scheme, similar to [13], we assume a private device (PD). PD 
is not connected to the network except at each fixed time period when the de- 
cryption key is updated. A helper key stored in the PD generates a key-update 
information which is used to update the decryption key. All secret operations are 
done by the user alone. Our scheme can be regarded as the first construction of 
an identity-based version of strongly secure key insulated encryption [13]. Here, 
we mean “strongly” by a system whose security is guaranteed even when its PD is 
physically compromised. Our scheme is different from [13] in a way that the PD is 
divided into multiple levels forming a hierarchical structure improving its security. 

In brief, our proposed schemes are constructed by extending the hierarchi- 
cal identity-based encryption schemes (HIBE) [24,22]. Straightforward exten- 
sion of HIBE, however, will be completely vulnerable for our attack model. Our 
major contribution of this paper is the proposal of two secure constructions 
of IBE that can renew and update the decryption key non-interactivefy: (1) a 
generic construction based on any HIBE, and (2) a specific construction based 
on Gentry-Silverberg HIBE [22]. In the generic construction, only an arbitrary 
(chosen plaintext secure) HIBE is used to build a chosen ciphertext secure IBE 
with non-interactive key update. The merit of such scheme is the flexibility it 
has in selecting the underlying assumption which can be determined depending 
on the requirement of the system. As a by-product, the same method used in 
the generic construction can also be used to build a (standard) strongly secure 
key-insulated encryption from an arbitrary (H)IBE and a standard public key en- 
cryption. On the other hand, the specific construction is constructed by directly 
extending the Gentry-Silverberg HIBE [22]. Although being more efficient than 
the generic scheme, the specific scheme is based on the bilinear Diffie-Hellman 
(BDH) assumption [7,8] and flexibility may become a concern when designing 
new constructions in terms of security. In addition to our main contribution, we 
also show a construction of a partially collusion resistant HIBE built from only 
an arbitrary IBE. This can be applied to the above result (i.e. generic scheme) 
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to give a construction of IBE with non-interactive key update built from only an 
arbitrary IBE. Note that we mean “partial collusion resistant” in a sense that 
we argue based on the security definition in [24] and not in [22] . Security of our 
schemes is proved in the random oracle model. 

Applications: Mobile Phone Scenario. Now let’s consider the suitability of 
introducing a private device (PD) in the mobile phone scenario (see also Back- 
ground.). At first glance, it seems like a hassle to having to use the PD whenever 
you need to update your decryption key, although, it is not as you might think 
so. As a mobile phone user, it is your routine job to re-charge your battery every 
now and then. Now, assume a PD-BC (i.e. a private device that can function 
also as a battery charger). PD-BC can provide a convenient mean to update 
the decryption key since updating can be done at the same time you re-charge 
the battery (which you have to do it anyways). The security of the system is 
also guaranteed even if the PD-BC is compromised. Here, we introduced a mo- 
bile phone scenario, but this is just one of many attractive applications of IBE. 
Whoever is in high risk of losing the decryption key (e.g. laptop PC user) can 
benefit from this system. To further improve the security, PD can be stratified 
into multiple levels. Each level has its own device which updates the device of 
a level below, each level with varying updating periods. We let the lowest level 
PD be the least secure device (i.e. PD-BC) of which the keys are updated more 
frequently than the ones in the higher levels. Security of the devices in each 
level also increases as the level of the hierarchy goes higher. As an example, the 
least secure device, PD-BC, updates the decryption key everyday and the helper 
key stored in the PD-BC is updated (using the PD of a level higher) every 2-3 
months. Since lower level PDs are used more frequently, they must be kept in 
places more handy (e.g. at home or work place) and higher level PDs which are 
used not as frequently be kept somewhere not as convenient but physically safer 
(e.g. safe). Our IBE system can guarantee the security even if any level PD is 
compromised even of the highest one. 

Related Works. The problem of revocability of private keys in identity-based 
schemes was initially discussed by Shinozaki, Itoh, Fujioka and Tsujii [26]. Baek 
and Zheng [2] showed an application of threshold decryption method to IBE. It 
does decrease the possibility of getting the keys to be exposed in the first place, 
however, it does not deal with what it can do after key exposure has actually 
occured. In [16], Dodis and Yung proposed an interesting idea that refreshes 
the private keys in HIBE. Their scheme provides a solution to the problem of 
gradual key exposure in which the private key is assumed to slowly compromise 
over time. Boneh and Franklin in their paper ([7], Section 1.1.1) showed the 
first generalized method for key revocation in IBE schemes. In their scheme, a 
privileged Private Key Generator (PKG) generates each user’s decryption key 
where its corresponding public key is set to be the concatenation of user iden- 
tity and fixed length of time the key is available, e.g. “recipient@xxx.xxx || 
2005 . 01 . 01-2005 . 12 . 31” . In such a setting, the public key, despite of whether 
it is revoked or not, is renewed regularly by the PKG, and also, the renewal 
interval must be set short (e.g. per day) to alleviate the damage caused by 
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key exposures. Therefore, having to set the interval short and require frequent 
contacts with the PKG implies increase in the total communication and compu- 
tation cost, consequently, losing one of primary advantages of IBE (i.e. low costs 
in communication and computation). Further, it needs to work out a way to 
establish a secure channel between the PKG and the user. For instance, it needs 
to compensate for additional transmission for key issuing and also has to deal 
with complicated transactions if the secret information used to setup the secure 
channel is exposed. Moreover, forward security must be considered. It is, hence, 
not desirable to have to require frequent communication via secure channel with 
the PKG in IBE as it implicates loss of primary advantages of IBE. 

While, on the other hand, as a solution to key exposure and revocation 
problem in conventional public key systems, Dodis, Katz, Xu and Yung [13] 
proposed a scheme called key-insulated encryption. As said earlier, this scheme 
also assumes a PD in which it stores the helper key. The helper key assists 
the user to renew his decryption key by generating secrets necessary to update 
the key. Here, the public key is fixed. In [14,15], Dodis, Franklin, Katz, Miyaji 
and Yung further improved [13] with an additional property, forward security. 
Notice that being able to renew the decryption key without having to make 
any changes to the corresponding public key as in the key-insulated encryption 
scheme, is the very technique, desired in IBE. Possible harmonization of the 
advantages of the two schemes; an identity-based version of a (strongly secure) 
key-insulated encryption scheme has never been constructed before. Also, there 
has never been a construction built of a hierarchical version of key-insulated 
encryption where the PD is organized in a hierarchical tree structure. Besides 
the related works shown so far, there are other interesting researches done on 
the topic of key exposure and revocation as well, for example, [21,1], but both 
are looked from a non identity-based perspective. 

We mentioned earlier that our IBE with non-interactive key update is con- 
structed by extending the HIBE [24,22]. HIBE is a powerful cryptographic tool 
and also forms the basis of various cryptographic techniques, e.g. [11] . However, all 
methods known to construct HIBE [24,22,11,4,6] require specific assumptions in 
elliptic curve cryptography, e.g. the BDH problem [7,8] as the underlying assump- 
tion and therefore lacks flexibility in selecting the underlying assumption. (While 
for IBE, besides BDH, there is also a construction based on quadratic residuosity 
problem [10].) There is also an open problem for a generic construction of HIBE 
based on arbitrary IBE and is one of important research topics in this area. 

2 Model and Definitions 

Overview of the Model. Before we start discussing the details of the actual 
construction of our IBE scheme, recall earlier how we said it was impossible to 
construct an IBE that allows an essential property as key revocation if based 
on the model of conventional IBE. To be more specific, it is impossible, based 
on the conventional IBE model, for the user to immediately revoke and renew 
his decryption key only at times he needs to renew the decryption key without 



Identity-Based Hierarchical Strongly Key-Insulated Encryption 499 


losing the advantage of IBE in terms of communication cost, since in the con- 
ventional IBE, a public parameter distributed at system set up phase and the 
user’s identity are the only parameters used to encrypt a message. 

Recall that we said earlier, [7] showed the first generalized method for key re- 
vocation based on the conventional IBE model. Their scheme, however, required 
to establish a secure channel between a user and a PKG which also needed to 
be available at all times. Moreover, the burden on the PKG was heavy which 
required the PKG to periodically renew the users’ decryption keys at fixed and 
frequent time intervals. Their model is simple and generally does not have any 
problem using it and may be practical for some applications. However, there are 
other situations where their assumption is neither preferred nor available. 

We introduce a new model of IBE that can renew and update the decryp- 
tion keys non-interactively (i.e without any loss in communication cost). We 
introduce a private device (PD) which stores the helper key used to renew the 
decryption key at regular time intervals without requiring interactions with other 
entities. We further improve the security by giving hierarchical construction in 
the PD, letting the keys of each level be renewed using the devices of a level 
higher (See Applications: Mobile Phone Scenario in Sec. 1.). Our model can 
be regarded as both hierarchical and identity-based extension of key-insulated 
encryption [13]. Similar to [13], we address random-access key-update , namely, 
allowing one-step renewal of current decryption key to any of the decryption 
keys of any time period (even the past keys). Random-access key-update lets 
any ciphertext of any time period to be decrypted at any time. 

Model. In our model, private devices are structured hierarchically into Glevels, 
and for i == % t, i-th level helper key is stored in the i-th level device. Decryp- 
tion key is stored in the 0- level PD (i.e. mobile phone). Key-update information 
is generated using the i-th level helper key which is used to renew the ( i — l)-th 
level helper key for i = 2, • • • , i. Decryption key is renewed using the helper key 
of the lst-level PD (i.e. PD-BC). To make things simple, we consider l = 2: 1st- 
and 2nd-level PD corresponds to PD-BC and PD that updates PD-BC helper 
key, respectively. (Note that this can be generalized for arbitrary t > 1.) 

Now, let Xo(-) and T\ {■) map time to corresponding time periods for de- 
cryption key and lst-level helper key, respectively. For example, assuming that 
decryption key and lst-level helper key is updated every day and every 2-3 
months, respectively, we have T 0 (2005/Aug./26th/17 : 00) = 2005/Aug./26th 
and Ti(2005/Aug./26th/17 : 00) = 2005/Jul.-Sep.. In addition, we let T 2 (-) be 
a function such that for all time, T 2 (time) = 0. At time, time, user updates his 
decryption key if lst-level helper key is valid for the time period Ti(time), and a 
lst-level helper key can be updated at any time. Def. 1 formally addresses this. 

Definition 1 (IKE). A 2-level identity-based key-insulated encryption scheme 
(IKE) IKE consists of 8 algorithms: I KE = (PGeniKE, GeniKE, A-Gen[ KE , Updf KE (i = 
1,2), EnciKE, DeciKE) and each are described as follows. 

PGeniKE- The public-parameter generation algorithm PGeniKE (l fc ) where k is the 
security parameter and outputs a master key s and a public parameter p. Note 
that PGeniKE and Gen| K E are used by the PKG only. 
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GeniKE- The user-secret generation algorithm Geni«E takes s, p and user’s identity 
U as inputs, and outputs IPs initial private keys (dj), do, df) where dj] is the U’s 
initial decryption key, and d l 0 (t = 1,2) are stored in IT s i-th level PD as initial 
i-tli helper key. 

A-Geri| KE . A helper key stored in the lst-level PD and A-Genj L KE are used to gener- 
ate the key-update information required to renew the decryption key. Similarly, a 
helper key stored in the 2nd-level PD and A-Genj 2 KE are used to generate the key- 
update information required to renew the lst-level helper key. More specifically, 
for i = 1,2, the key-update information generation algorithm A-Gen( KE takes d\, 
p, U and time as inputs, and outputs key- update information <^7^ ( time ) only if 
t = Tj(time). 

Upd| KE - f/’s decryption key, key-update information and Upd|' KE are used 

to generate f/’s decryption key for time. Similarity, f/’s lst-level helper key, key- 
update information (time) an< ^ Upd/ KE are used to generate f/’s lst-level helper 
key for time. More specifically, for i - 1.2, the key-update information gener- 
ation algorithm Updf KE takes d) _1 , p and 5^T 1 i ^ time ^ as inputs for any t, and 
outputs a new key d^/ 1 1 ( tlme ) for time period Tj_i(time). 

EnciKE- The encryption algorithm EnciKE inputs m, U, p and time where to is 
a plaintext, U is the user identity and time indicates the time at which to is 
encrypted, and outputs ciphertext (c, time). 

PeciKE- The decryption algorithm DeciKE inputs (c, time), d% and p, and outputs 
to or _L where _L indicates failure. Deq«E correctly recovers the plaintext only if 
t = T 0 (time). 

Security Definition. Security of IKE is based on the assumption that adversary 
does not (illegally) obtain all of the target user’s keys all at once. Recall that 
helper keys of different levels in the hierarchy are managed differently (most 
likely stored at different places). It is unlikely for such an event to occur, i.e. an 
adversary to obtain all of the keys of all levels all at once, considering that PDs 
are disconnected from the network most of the time. We also like to remind that 
it gets much harder to steal the keys as the levels in the hierarchy increase this 
is because PDs in the higher levels are connected to the network less frequently 
and also managed in places physically much safer. 

We consider an attack model based on the standard IND-ID-CCA setting in 
[7,8] plus the next case: when an adversary is allowed access to any of target 
user’s keys and also the helper keys but excluding the combinations of keys that 
can trivially lead to the target key from the definition of IKE. Next, we give 
some examples of key exposures for our security definition. 

Examples of Key Exposures. We consider a 2-level IKE: decryption key is 
renewed every day, lst-level helper key is renewed every three months and 2nd- 
level helper key is never updated. Then, any ciphertext for 2005/Dec. /31st should 
not be decrypted by dishonest means even for the following cases: 

1. Exposures of the victim’s lst-level helper keys for 2005/Jan.-Mar., • • • , 2005/ 

Jul.-Sep. and decryption keys for 2005/Jan. /1st, • • • , 2005/Dec. /30th 
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2. Exposures of the victim’s 2nd-level helper key and decryption keys for 2005/ 
Jan. /1st, • • • , 2005/Dec. /30th 

3. Exposures of the victim’s 2nd-level helper key and lst-level helper keys for 
2005/Jan.-Mar., • • • , 2005/Oct.-Dec. 

Again, we exclude the combinations of keys that can trivially determine the 
target key, for example, exposures of both the victim’s lst-level helper key for 
2005/Oct.-Dec. and decryption key for 2005/Dec. /30th. It is obvious that a de- 
cryption key for 2005/Dec. /31st is easily computable from the definition of IKE. 
We do not consider these cases. 

Next, we formally address the security definition. In our attack model, ad- 
versary is allowed access to the following four types of oracles: (1) key gener- 
ation oracle KG(-,s,p), which on input U, returns U's initial decryption keys 
(doi^oi^o) an d (2) left-or-right encryption oracle LR(-, •, •, -,p, b) [3], which for 
given U, time and equal length messages toq, mi , returns challenge ciphertext 
c := EnciKE(n!6, U, p, time) where b Gr {0, 1}, and models encryption requests of 
an adversary of a user identity and a message pair of his choice. The third is a 
(3) decryption oracle D(-, •, s,p) which on input U and (c, time), returns decryp- 
tion result of c with the corresponding decryption key d® where t = To (time). 
This models chosen ciphertext attack. With these three oracles, KG, LR and D, 
the standard IND-ID-CCA setting can be modeled. In addition to the above, we 
introduce a (4) key issue oracle K I s,p) which on input i, U and time, re- 
turns d\ where t = T)(time). This models partial exposure of honest user’s keys 
including the victim’s keys. The adversary may query the four oracles adaptively 
in any order he wants subject to the restriction that he makes only one query to 
LR. Let U* be the user’s identifier of this query, and let (c*,time*) denote the 
challenge ciphertext returned by LR in response to this query. Also, the adver- 
sary is not allowed to ask KG and Kl for queries which can trivially determine 
U*' s decryption key for time* from the definition of IKE. The adversary succeeds 
the attack by guessing the value b, and the scheme is considered to be secure 
if any probabilistic polynomial time adversary has success probability negligibly 
close to 1/2. 

Definition 2 (KE-CCA security). Let IKE be a 2-level identity-based key- 
insulated encryption scheme. Define adversary A’s succeeding probability as: 

Succa.ike := Pr[(s, p) <— PGen| K E(l fe ); b Gr {0, 1}; 

tf a kg(., s ,p),lr(.,.,.,., p ,6),d(.,., s , p ),ki(.,.,., s , p ) . y _ ^ 

where U* is never asked to KG(-,s,p) and (t/*, (c*,time)) is never asked to 
D (■ , •, s.p) such that To (time) = To (time*). A can ask Kl for any keys of any 
users if there exists a “special level” j G {0, 1, 2} such that 

— Kl(j, [/*, time, s,p) is never asked for any time, and 

— Kl (*, 17*, time, s,p) is never asked for any (i, time) such that i < j and 
Tj(time) = T;(time*). 
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Then, IKE is KE-CCA secure (KE-CCA stands for key exposure & chosen cipher- 
text attack) if, for any probabilistic polynomial time adversary A, |Succsa,ike — 
1/2 1 is negligible. (Note that a “special level” is a level in which the PD of U* is 
not compromised. Also, recall 0-level PD is the user’s terminal, i.e. the mobile 
phone.) 

Exposure of Key-Update Information. If we look closer into the security 
of IKE, it can be realized that exposure of key-update information should also 
be considered in addition to the above discussion. Although, we can also see 
that it is obvious that if <5^ (time) can be computed from d^( tlme ) and d‘ t for any 
time and t, then, exposure of key- update information can be simulated by using 
Kl. Hence, if this property holds, then the security definition so far discussed 
will be sufficient (by itself) even when exposure of the key-update information 
is considered. As a matter of fact all of our constructions satisfy this property. 


3 Straightforward IKE from HIBE Is Insecure 

Although HIBE and IKE are alike in some sense, it is not as simple as bringing 
HIBE as building blocks to construct KE-CCA secure IKE. We give further 
discussion on this later, but first, we clarify the relation between HIBE and 
IKE. 

Brief Review of HIBE. HIBE distributes the workload of the PKG in IBE 
by organizing the PKGs in a hierarchical tree structure. Security definition of 
an HIBE follows. This definition runs parallel with [22] which is the hierarchical 
extension of Boneh and Franklin’s IBE [7,8]. Note that 1-level HIBE refers to a 
standard IBE. A user in an HIBE hierarchy is defined as a tuple of identities: 
(D t_1 .D t_2 . • • • ,D°) where t denotes depth of the hierarchy. The user’s ancestors 
in the hierarchy tree include the root-PKG and users/sub-PKGs whose identities 
are {(Z) t_1 .D t_2 . • • • ,/T : 0 < i < t - 1)}. 

Definition 3 (HIBE). A t -level hierarchical identity-based encryption (HIBE) 
HIBE consists of 3+t algorithms: HIBE = (PGenmBE, Gen^ !BE (1 < i < t), EncmBE, 
DecniBE) and are defined as follows: 

PGenmBE- The public-parameter generation algorithm PGenmBEfy^) where k is 
the security parameter, outputs root-master key s and public parameter p. 
PGen H iBE is used only by the root-PKG. 

Ge n m B E- The user-secret generation algorithm Gen B|BE inputs £> t_1 , s and p, 
and outputs D t_1 ’s key s D t~ i. Similarly, Gen^g^ 1 takes D t_1 .D t_2 . • • • 

and P as inputs, and outputs D t_1 .D t_2 . • • • ,D t_ *’s key 
Sr**- 1 .#*- 2 . •••.£>*-* for 2 < i < t. Here, for 1 < i < t — 1, s D t-i D t -2 ... D t~i is 
the sub-master key which enables D t-1 .D* -2 . • • • .D*~ l to generate his descen- 
dant’s keys, and Sd*- 1 .!?*- 2 .••• ,d° is the decryption key of D t_1 .D t_2 . • • • ,D°. 
EncHiBE- The encryption algorithm EncmBE takes to, D t_1 .D t_2 . • • • .D° and p as 
inputs where m is a plaintext and D t_1 .D t_2 . • • • ,D° is the receiver’s identity, 
and outputs a ciphertext c. 
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PecHiBE- The decryption algorithm, DecmBE takes c, s D t-i_ D t -2 ... D o and p as in- 
puts, and outputs m or T which means failure. DecmBE recovers the plaintext 
only if c is encrypted correctly using ZT _1 .Z7 t_2 . ■ ■ ■ ,D° as an encryption key. 

Security of an HIBE is defined as follows. An adversary adaptively selects a target 
user’s identity and equal length messages mo, mi and submits to a left-or-right 
encryption oracle LR which returns ciphertext of m t, such that b Gr {0, 1} for a 
target user. The adversary also have access to a decryption oracle D which gives 
decryption results of any ciphertext except for the challenge ciphertext from LR. 
There is also a key generation oracle KG which exposes any user key except for 
the target’s and its ancestors’. HIBE is secure if an adversary correctly deter- 
mines b with probability at most 1/2 + neg where neg is negligible. HIBE is 
IND-HID-CCA (resp. IND-HID-CPA) if unlimited access to D and KG (resp. only 
KG) is allowed [22]. HIBE is IND-«;HID-CCA (resp. IND-wHID-CPA) if unlimited 
access (resp. no access) to D is allowed while the number of queries to KG is 
bounded as follows [24]: unlimited access is allowed for at least one level in the 
hierarchy, but for the rest of the levels, the number of queries do not exceed the 
threshold value w such that w = 0(poly(fc)). See Appendix A for more details. 
An Insecure IKE from HIBE. Consider the following (insecure) construction 
of a 2-level IKE based on a 3-level HIBE: In the initial phase, PKG generates 
( s,p ) := PGeriHiBE(l fc ) and user t/’s 2nd-level helper key d q := Genfn BE (C/, s,p). 
At time, U generates his lst-level helper key := Gen B | BE (Ti(time), do,p) 

and decryption key d^ 0 ( time ) := Gen B | BE (To(time), dj’ 1 (time),I > )- For a messa g e m 
for U at time, a ciphertext c is generated as c= EncHiBE(nv, G.T-i(time).Xoftime), p). 
Renewal of decryption keys in IBE from HIBE is described in [24] as well. 

We show a straightforward construction of an IKE from HIBE which is in- 
secure (i.e. not KE-CCA secure). The above (insecure) construction does not 
satisfy the security of 2. and 3. of the Examples of Key Exposures, from 
the previous section. Namely, if the lst-level PD (or the PD-BC) is stolen at 
2005/0ct./lst/0:00, then confidentiality of the ciphertexts generated during 
period 2005/0ct.-Dec. is lost. Morover, exposure of the 2nd-level helper key can 
alone compromise the security for any time period. Therefore, a straightforward 
construction of IKE from HIBE is not KE-CCA secure. 

4 Generic Construction 

Basic Idea. As shown in the previous section, straightforward construction of 
an IKE from HIBE is vulnerable, and for such a system, loss of only one of 
users’ PDs implies compromisation of the entire system. In this section, we show 
a generic construction of a secure IKE built from three distinct HIBEs. Here’s 
the general idea: each of three HIBEs each plays a part to mutually secure the 
different types of key exposures, consequently, protecting the system totally, 
guaranteeing its security even if a PD is compromised. We extend a technique 
called multiple encryption proposed in [28] to construct a KE-CCA secure IKE 
from HIBE. It is important to note that the original [28] scheme is applied only 
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PGen IKE (l fc ): 

( Sh,Ph ) <- PGen H iBE h (l fc ), 1 < ft < 3 
choose H h , 1 < ft < 3 
return s := (si, S2, S3) 

p := (pi,P 2 ,P 3 , Hi, H2, H 3 ) 

GeniKE(s,p, U): 

sh,u <— GenH, BE;i ([/, Sh,Ph), 1 < ft < 3 
do := {si,u, •, •), do := ( S2,u , •), do : = s 3 ,u 
return (do,do,d§) 

A-Genj^dJjp, U, time): 


A-Genj 2 KE (do,p, U, time): 

parse d\ = (172, cr 3 ) 


parse d§ = £73(= s 3 ,u) 

o' h <— GenJ,| BE(i (To(time), <Jh,Ph), ft = 2,3 

o 3 «- Geng IBE3 (Ti(time), o 3 ,p 3 ) 

return d£ o( time) := (o' 2 ,o' 3 ) 


return 8^ (time) := o' 3 

U pd jK E (d? , p, 5 t 0 {time) ) : 


Upd^ KE (d t 1 ,p, 4 1 (time)) : 

parse d? = (cri, 02,03) 


parse dj = (02,03) 

parse S^ o(time) = (o 2 ,o 3 ) 


parse 6 2l (time) = o 3 

return c % n(time) ■= (oi,o 2 ,o 3 ) 


return d^ (tima) := (02, o 3 ) 


EnciKE (m, U,p, time): 

rrh, m2 £r {0, l} n , m3 := m © mi © m2 

n ,r 2 ,r 3 e R {0,l} fcl 

Rh := Hh(m,rrih,ri,r 2 ,r 3 ,), 1 < ft < 3 

Ui := U, U 2 := J 7 .T 0 (time), U 3 := C.Ti(time).T 0 (time) 

Ch := EncHiBE A (mfe||r/j, Uh,Ph', Rh), 1 < ft < 3 

return (c, time) := ((ci, C2, C3), time) 

DeciKE((c / , time), d?,p): 

output _L and halt if t ^ To(time) 
parse c' = (ci, 02,03) 
parse d? = (ffj, <72, (73) 

{ m 'h\\ r 'h) DeCHIBE h {c' h ,crh,Ph), 1 < ft < 3 

validity check by re-encryption 


Fig. 1. Generic Construction of KE-CCA Secure IKE from IND-HID-CPA HIBE 


to standard public key encryption, so, straightforward adoption of this scheme, 
again, does not immediately imply a secure IKE. 

Construction. Fig. 1 shows a generic construction of KE-CCA secure IKE from 
any HIBE where each of HIBEs has only chosen plaintext security, i.e. IND-HID- 
CPA (See Appendix A). Here, we give supplementary explanation of the Fig. 1 
and give discussion on our generic construction in more details. 

Let HIBE/, = (PGeriHiBE ft , Gen^g^ (1 < i < ft), EncmBE,,, Dgchibe^) be ft-level 
HIBE for 1 <ft<3 and construct a 2-level IKE IKE = (PGen| K E, GeniKE, A-Genf KE , 
Updf KE (* = 1)2), EnciKE, DeciKE) as follows. 

PGeniKE sets up the master keys and public parameters of HIBE/, and cryp- 
tographic hash functions Hf, : {0, l} 2n+3,Cl — > COIN for 1 < ft < 3 where n 
denotes the size of a message of IKE. COIN is the internal coin-flipping space of 
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EncHiBE ft assuming that n + k\ is the size of a message in HIBE/,. 1 The security 
analysis will view if/, as random oracles. GeniKE generates C/’s secrets of HI BE/, 
for 1 < h < 3 as C/’s initial key for IKE. A-Gen, 1 ^ generates decryption keys 
of HIBE 2 and HIBE 3 for identities C/.T 0 (time) and C/.Ti(time).T 0 (time), respec- 
tively, as the “differential” of the C/’s previous key and of the next renewed key 
at time. Then, Upd j L KE generates C/’s decryption key of IKE for time by com- 
bining the differential with the C/’s previous key. Similarly, A-Gen( KE generates 
a sub-master key of HIBE 3 for C/.Ti(time), and Upd 2 KE generates C/’s lst-level 
helper key of IKE for time by combining C/’s previous key and A-Gen 2 KE ’s out- 
put. EnciKE securely integrates the three encryption algorithms of /i-level HIBE 
for 1 < h < 3. First, a plaintext m is divided into three shares Thi , m 2 , m3 , 
and each to/, (1 < h < 3) is encrypted by //-level HIBE HIBE/, for identity 
Uh where U\ := U, C/ 2 := U.T 0 ( time) and C/ 3 := C/.Ti(time).T 0 (time). Here, 
the technique in [28] is applied (but not straightforwardly, as mentioned earlier) 
to securely integrating the three underlying HIBEs. DeciKE recovers each of the 
three shares and composes them to recover the plaintext. It also checks the valid- 
ity of the ciphertext by re-encryption. Namely, R' h := i//,(m/, Wi' h , r[, r' 2 , r' 3 ) and 
Uh *— EncHiBE, (/W/ill'C/,; C//i, p/,: R' h ) are computed for 1 < h < 3, unless ///, = d h , 
for all h, output T, otherwise output m'. This scheme can easily be generalized 
to an t - level IKE for arbitrary t > 1. 

Definition 4 (7-uniformity [20]). Let HIBE = (PGen H iBE, Gen^ IBE (1 < % < t), 
EncHiBE, DecniBE) be C-level HIBE. For given D t_1 .D t_2 . • • • .D°, x, y and z, define 

1 (D t - 1 .D t - 2 .---.D°,x,y,z) 

:= Pr[r COIN : z = Ehchibe^, D^.D^ 2 . ■ ■ ■ ,D°, y- r)], 

where COlAf is the internal coin-flipping space for EncniBE- We say that HIBEis7- 
uniform if ^(D t ~ 1 .D t ~ 2 . ■ ■ ■ .D°, x, y,z) <7 for any Z) t_1 .D t_2 . • • • ,D°, x, y and 


Theorem 1. The above scheme is a KE-CCA secure 2-level IKE in the random 
oracle model, assuming that HIBE/, (1 < h < 3) are IND-HID-CPA HIBEs. More 
precisely, suppose there is an adversary A who can break the above scheme with 
probability 1/2 + e a with run time at most tA • Suppose A makes at most qKG, 
<?ki, Qd ■ q //, , Qh-2- Qh 3 queries to KG, Kl, D, Hi, if 2 , i/3 , respectively. Then, 
there is another adversary B who can break at least one of HIBE/, (1 < h < 3) 
in the sense of IND-HID-CPA with probability 1/2 + cb, and running time ts is: 


1 1 to, + te 2 + Qh 3 1 

eBi 3 W -3 2 E 6® 7 ”” 1 

tB <tA + 2 tenc + (25kg + 5qKl)TGEN 

+5D((tei + Qh 2 + qH 3 )TENc + teite 2 te 3 • 0(h)), 


For simplicity, we assume for all HIBE/,, spaces of coin- flipping and messages to be 
COIN and {0, l} n+fc i , respectively. 
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assuming that 7 max = max(7i,72,73), HIBEj is 7 i-uniform , and running time 
of Gen^| BEh and EncniBE,, are at most tgen and tenc, respectively, for any h 
and i. 

Proof. See Appendix B. □ 

Random Oracle. If we want to eliminate random oracle, multiple encryption 
technique in [12] can be extended instead of the one we used of [28] to construct 
a KE-CCA secure IKE, assuming that underlying HIBEs are all IND-HID-CCA 
in the standard model, e.g. [11,4,5,6,27], while the above construction using [28] 
requires only IND-HID-CPA HIBEs. Furthermore, by applying a similar method 
to our proposed scheme, we can construct another KE-CCA secure IKE from 
HIBE with only one-wayness under chosen plaintext attacks. 

“Standard” Strongly Key-Insulated Encryption. By extending the multi- 
ple encryption technique mentioned in the above, we can construct a generic con- 
struction of a strongly secure key-insulated encryption [13] from a chosen plain- 
text secure IBE and a chosen plaintext secure standard public key encryption. 
This method can also be applied to the Cocks IBE [10] to construct a strongly 
secure key-insulated encryption. (The Boneh-Franklin IBE based scheme was 
proposed earlier in [9]). 

5 Efficient Construction from Bilinear Mapping 

Basic Idea. In the previous section, we showed a construction of KE-CCA secure 
IKE using HIBE as a black-box. Here, we propose a construction of KE-CCA 
secure IKE by directly extending Gentry-Silverberg HIBE (GS-HIBE) [22] and 
Fujisaki-Okamoto conversion [19,20]. The major difference between our two con- 
struction is as follows: in our specific construction, /i-level HIBEs for 1 < h < 3 
are being integrated using a homomorphic property of pairing, while our generic 
construction is based on multiple encryption [28]. Our specific construction is 
more efficient than the generic construction. Note that since our specific con- 
struction is based on a specific assumption, i.e. BDH assumption, it may lack 
flexibility in designing new construction in terms of security. 

Construction. As shown in Fig. 2, a 2-level IKE IKE = (PGeniKE, GeniKE, 
A-Genf KE , Updf KE (* = l,2),EnciKE, Dccike) can be constructed using bilinear 
mapping. Here, we give supplementary explanation of the Fig. 2 and give dis- 
cussion on our specific construction in more details. 

PGeniKE generates two cyclic groups G 1 and G 2 of prime order q and an effi- 
ciently computable mapping e : Gi x G\ — > G 2 such that e(aP, bQ) = e(P. Q) ab 
for all P,Q £ G 1 and any positive integers a, b. This does not send all pairs in 
G 1 x G% to the identity in G 2 . Also, PGeniKE chooses cryptographic hash func- 
tions Hi : (0, 1}* -> Gi, H 2 : G 2 -> {0, l}”+ fel and H 3 : (0, l} n x (0, l} kl -» Z q , 
where n denotes the size of the message space. The security analysis will view 
Hi , H 2 . H :i as random oracles. It further generates master key s and its corre- 
sponding public paramter Q. Gen^E, A-Genf KE and Upd[ KE (i = 1,2) are the 
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PGeniKE(l* : ): 

GeniKE(s,P, U): 

set up Gi, (? 2 ? e, P £ Gi 

Pu ■■= Hi(U) € Gi 

s l, s 2i s 3 Zq 

ce 

ii 

Co 

ji 

co 

£ 

JI 

co 

Q ■= (s? + S 2 + s 3 )P 

d° 0 := ffi, (;■),(;;■)) 

choose lit , H 2 , H 3 

do ■= (Sl,(;-)) 

return s (s?, si, s§) 

dl ■= Si 

pi~ (Gi,G 2 ,e,P,Q,H 1 ,H 2 ,H 3 ) 

return (do, do, do) 

A-Genj t KE (d),p, U, time): 

A-Genj 2 KE (d§,p, U, time): 

parse d\ = (S 2 , (S 3 , Ql)) 

parse d§ = Sf 

s 2> s 3 Zq 

S3 €« Z q 

Pt 0 := Hi (U.Ti (time). To (time)) 

P H '■= .Hi (U.Ti (time)) 

S° h := Si + s° h P t0 , Ql := s° h P, h = 2,3 

S 3 '■= S 3 + slPt 1} Ql := slP 

return 5r nftime i := ((>§2, Q 2 ), (S 3 , Q 3 , Ql)) 

return := (S3, Ql) 

Upd|KE(d? ,P, ^Tq (time) ) * 

U PdiKE {dt , P, <5^! (time) ) 1 

parse d° t = (5? , (S§, Q° 2 ), (Si, Q° 3 , Ql)) 

parse d\ (S3, Ql)) 

parse <5£ o(tlme) = ((S 2 , Q°), (§ 3 , Q°, Ql)) 

parse (time) = {$ 1,0 3 ) 

return d° t := (5?, (S§, Q§), (§§, Q° 3 , Ql)) 

return d^ (time) := (Sl,(Sl,Ql)) 


EnciKE(m, U,p, time): 

Pu := P tl := #i([/.Ti(time)), P to := H^U.T^time) .T 0 (time)) 

/n Gij {0, l} n , r := H 3 (p,m), g := e(Q, Pu) 
c := ( rP , rP tl , rP to , (m\\p) ffi H 2 (g r )) 
return (c, time) 

DeCiKE((c', time), dl,p): 
parse d = (V,V tl ,V to ,W) 
parse d° t = (S?, (S 2 °, Q§), (S§, Q°, Ql)) 

K Ha*') == W © ^( a(4+Q^ 0 wIk? ) 

validity check by re-encryption 


Fig. 2. KE-CCA Secure IKE from Bilinear Mapping 


same as in the generic construction based on [22]. Based on the homomorphic 
property of pairing, Enci«E and DeciKE integrates three HIBE encryptions into 
one. Although, not mentioned in Fig. 2, to protect from active attacks, Dec^E 
outputs _L and halts if (i) t ^ T 0 (time) or (ii) (V, V tl , V to , W) £ Gi 3 x {0, l} n+fcl 
or (iii) re-encryption of m' for U, time and pi is not identical to (c', time). 

Theorem 2. The above scheme is a KE-CCA secure 2-level IKE in the random 
oracle model assuming that a computational BDH (CBDH) problem [7,8] is hard 
to solve. More precisely, we suppose there is an adversary A who breaks the 
above scheme with probability 1/2 + e a with run time at most tA ■ Also, suppose 
that A makes at most qKG, Qki, qo, qn 2 , qi i 3 queries to KG, Kl, D, H 2 , H 3 , 
respectively. Then, there is another adversary who can solve the CBDH problem 
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with probability e c bdh and running time t c bdh where 

f > 6 ,, \ 

€cbdh ~ e 3 q H2 (3 + q KG + q Kl ) 3 ' ( A 2 kl 2 q h 

tcbdh < 0(tA + (2qKG + 5qKl)TEXP + qD^e + qH 3 TEXP + qH 2 qH 3 ■ O(k))), 

assuming time for exponentiation over G i is at most texp, and time for pairing 
computation is at most Tg. 

Proof of the theorem is given in the full version of this paper [23]. 

Efficiency. In a pairing based scheme, the dominant factor that decides its to- 
tal computation cost is the number of pairing computation carried out. For the 
above construction of KE-CCA secure IKE from bilinear mapping, only one and 
three pairing computations are required for encryption and decryption, respec- 
tively. On the other hand, for the generic construction (shown in the previous 
section) using [22] as the underlying HfBE, the numbers of pairing computation 
for encryption and decryption are three and six, respectively. 

6 Generic HIBE from Any IBE 

As seen from our discussion given so far, HfBE serves as important role as build- 
ing blocks of various cryptographic schemes including the ones that we have pro- 
posed. In this section, we show a generic construction of HfBE from arbitrary 
IBE that also provides a partial solution to an open problem of HfBE. We can, 
for example, bring the Cocks IBE [10] to construct an HfBE, also implying that 
hereafter a new construction of an IBE is ever proposed, it can also be converted 
to construct an HfBE. For the security definition, we introduce partial collusion 
resistance (i.e. IND-wHID-CCA) [24] instead of full collusion resistance (i.e. IND- 
HID-CCA) [22]. The security definition is more relaxed but our contribution is 
significant as this is the first generic HfBE construction built from an arbitrary 
IBE. In this section, for simplicity, we show a construction of a 2-level HfBE, 
but it can also be extended for a t-level HfBE for t > 2. 

Security Definition. Our construction of a generic HfBE proposed here is 
based on the security definition of [24]. Particularly, for our 2-level construc- 
tion of HfBE, it is collusion free for the users (in the lower domain), but has 
polynomial-sized collusion threshold w for the sub-PKGs (in the higher domain), 
where w = 0(poly(/c)) and A: is a security parameter. 

Cover Free Family. We use cover free family (CFF) [17] as a building block, 
similar to the generic construction of key- insulated encryption [13]. Reminding 
that, method used in [13] only addresses chosen plaintext security, and cannot 
be applied straightforwardly to construct a chosen ciphertext secure HfBE. 

Definitions (CFF). Let L := {tij 2 , • • • ,4} and F = {F U ---,F V } be a 
family of subsets of L. We call (L,F) an (u,v,w) -cover free family (CFF) if for 
all Fi € F, F z £ % U • • • U F jw for any F i(t (^ Fij e F, k € {1, ..., w}. 



Identity-Based Hierarchical Strongly Key-Insulated Encryption 509 


PGenmBE(l fc ): 


generate (u, v, w)-CFF ( L , F) 

{ Si, pi ) <- PGeniBE(l fc ), 1 < i < u 

choose H : {0, 1}* F and Hi : {0, l} 2 "+“ fc i _► COIN, 1 <i<u 

return s := {si}i<i<,i and 

p:= (H, {?*,#,;}!<*<„) 

GenHiBECL* 1 ! s ,p)- 

GenHiBEC-D 1 -^ 0 ! s D i,p): 

parse s = {si}i<i£« 

parse s D i = {si}i £ F Dl 

F d i := HiD 1 ) € F 

Si.Di.no <— GeniBE^ 1 -D°, ««,pi), i € F D i 

return Sx>i^{s<}##y nl 

return s D i D o := {Sj.nr.nolieFni 


EncHiBE( m,D° .D 1 ,p)\ 

F d i := H{D 1 ) € F 

m, €r {0, l} n , i € F d i such that (BieF Dl rni = m 
r% €r {0, l} fcl , * 6 F d i 

d <- E nci be (jUi \ \ri, D° .D* ,pi\ Hi(m, m, , J? ) ) , i € F d i 
return c’-i=s- {«*}«= f„, 

DeCHIBE(c', SDi.UOjP) 1 

parse c' = {cj}i £ F D i 

parse Sri £>o = {si t £>i £>°}ieF D i 

(m'||r') <- Dec\BE(ci,Si' D i. D o,pi), i € F D i 

m' := ©ieFoi^i 

validity check by re-encryption 


Fig. 3. Generic Construction of Partially Collusion Resistant HIBE 

It should be noted that there exist nontrivial constructions of CFF with u = 
0(w 2 log v) and #Fi = 0(uj log v) (1 < i < v). In the following, we assume 
#Fi = #F 2 = --- = #F v = u for some u and e F t € F} > [vu/u] for 

all tj e L. Concrete methods for generating CFF are given in [18]. 
Construction. Fig. 3 shows a generic construction of a chosen ciphertext secure 
2-level HIBE with partial collusion resistance from an arbitrary I ND- ID- CPA 
IBE using CFF. Here, we give supplementary explanation of the Fig. 3 and give 
discussion on our generic construction of HIBE in more details. 

Let IBE = (PGeniBE, GeniBE, EnciBE, DeciBE) be standard IBE (i.e. 1-level 
HIBE). Then, 2-level HIBE HIBE=(PGeriHiBE) Gen^| BE (i = 1, 2), EncniBE) Dschibe) 
can be constructed as follows. 

PGenmBE generates (u. v, w)-CFF (L, F) and u pairs of master key and public 
parameter of IBE where L = {1, •••,«}, u = 0(poly(fc)), v = 0(exp(/c)) and 
w = 0(poly(fc)j. For hash functions, n denotes the size of a message of HIBE, 
and COlAf represents the internal coin-flipping space of EnciBE, assuming that 
n + k\ is the size of a message in IBE. The security analysis will view H and 
Hi (1 < * < u) as random oracles. Gen B , BE picks master keys corresponding to 
F d i. Gen B , BE generates IBE decryption keys by using s D i = {si}ieF D i- Eiichibe 
encrypts m with encryption algorithms which correspond to F d i where R is a 
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concatenation of all r* arranged in increasing order of i for i e F D 1. DecniBE 
decrypts all c' for i G F d i. Then, it re-encrypts m! with m' and r'. Unless the 
encryption result is identical to c! , DecniBE outputs Y, otherwise, outputs to'. 

Theorem 3. The above scheme is IND-tcHID-CCA in the random oracle model, 
with a restriction that an adversary is allowed to query sub-PKGs ’ keys at most 
w times, assuming that IBE is IND-ID-CPA. More precisely, assume an adversary 
A who breaks the above scheme with probability 1/2 + ca with run time at most 
tA and that A makes at most q^Q, qo, qn, queries to KG, D, Hi (1 < i < u), 
respectively. Then, there is another adversary B who can break IBE in the sense 
of IND-ID-CPA with probability 1/2 + cb and running time ts where 



tB <tA + utenc + qKGUTGEN + qo(qzTENC + Qn ■ 0(h)), 

and q a u := to.* Qs := max{ il) ... )ifl }c{i,...,u}(Z)ie{ii,...,i fl } ?•»<) andc ln ■= 

ma x {* 1 ,—,» fl }c{i,— ,«}(]!»£{»!,— iHi), assuming that IBE is 'y-uniform, and 
running time o/GeniBE and EnciBE is at most tgen and tenc, respectively. 
Proof of the theorem is given in the full version of this paper [23]. 
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Appendix A: Formal Security Definitions for HIBE 

Here, we give a formal security definition of hierarchical identity-based encryp- 
tion (HIBE). The definition runs parallel with [22] and [24] which is the hierar- 
chical extension of Boneh and Flanklin’s IBE [7,8]. 

Regarding chosen ciphertext attacks, we address the following three types of 
oracles: First, is a key generation oracle KG which on input D 4_1 .D t_2 . • • • ,D l , 
returns D t_1 .D t_2 . • • • ,D Z ’ s secret s D t-i. D t -2 ... D i for 0 < * < t — 1. Next, is a 
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left-or-right encryption oracle LR which for a given user D* ,t_1 ..D*’ t_2 . ■ ■ ■ .D*’° 
and equal length messages mo, mi, picks b G R {0, 1} and returns a challenge ci- 
phertext c := EncHiBE(-D*’* _1 -D*’ t_2 - ■ ■ • .D*-°, mt,,p). This models an encryption 
request of an adversary who can pick a target’s identity and a message pair of his 
choice. Finally, the adversary is allowed access to a decryption oracle D, which on 
input D t_1 ,D*~ 2 . ■ ■ ■ ,D° and a ciphertext c, returns a decryption result of c using 
This models the chosen ciphertext attack. Also, if considering 
only chosen plaintext attacks, any access to D is prohibited while accesses to KG 
and LR remain permitted. An adversary may query the three oracles adaptively 
in any order he wants, subject to the restriction that he makes only one query 
to the left-or-right oracle. Let _D* ,t_1 ..D*’ t_2 . • • • ,D*’° be the user’s identifier of 
this query and let c* denote the challenge ciphertext returned by the left-or-right 
oracle in response to this query. The adversary succeeds by guessing the value 
b. A HIBE is considered secure, if any probabilistic polynomial time adversary 
has success probability negligibly close to 1/2. 

Definition 6. Let HIBE = (PGen H iBE, Genf,| BE (1 < * < t), EncmBE, ClecmBE) be 

a hierarchical identity-based encryption scheme. Define adversary A’s succeeding 
probability in the above chosen ciphertext attack game as: 

Succ^t, hibe := Pr[(s,p) <- PGen H i B E(l fc ); b G R {0, 1}; 

b' <- A KG (--^ tR (v.-.«.ri.D(v,., P ) : b ' = ft], 

where any element in {(_D* ,t-1 ..D*’ t-2 . • • • .£>*’* : 0 < i < t — 1)} is never asked 
to KG and A is not allowed to query D(D*’ t ~ 1 .D* ,t ~ 2 . ■ ■ ■ c*, s,p ) if c* is 

returned by LR. Then, HIBE is 

- IND-HID-CCA if (Succ^hibe — 1/2| is negligible for any probabilistic polyno- 
mial time adversary A (particularly, we call IND-ID-CCA if t = 1), 

— IND-HID-CPA if ISucc^hibe — 1/2| is negligible for any probabilistic polyno- 
mial time adversary A who is not allowed to submit any query to D at all 
(particularly, we call I ND- ID- CPA if t = 1), 

- IND-wHID-CCA if |Succa,hibe — 1/2| is negligible for any probabilistic poly- 
nomial time adversary A who is allowed to submit queries to KG at most w 
times for given layers in the hierarchy ( A is also allowed to submit unlimited 
number of queries to KG for at least one layer), 

— IND-wHID-CPA if |Succa,hibe — 1/2| is negligible for any probabilistic poly- 
nomial time adversary A who is allowed to submit queries to KG at most w 
times for given layers in the hierarchy, but no query to D is permitted (A is 
also allowed to submit unlimited number of queries to KG for at least one 
layer). 

Next, we give concrete examples for the above IND-icHID-CCA and IND-wHID- 
CPA. Suppose we have a 2-level HIBE which includes a root-PKG layer, a sub- 
PKG layer and a user layer. The sub-PKG layer is set as the special layer in 
which the number of queries from the adversary is bounded. In the IND-wHID- 
CCA (or IND-wHID-CPA) setting, an adversary is allowed to ask the sub-PKGs’ 
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keys for at most w times while allowing unlimited number of user’s decryption 
keys to be exposed. In addition to KG, the adversary is allowed access to D also 
when considering the IND-wHID-CCA setting. 


Appendix B: Proof of Theorem 1 

Here, we prove KE-CCA security for our generic construction. We construct an 
adversary B who can break at least one of underlying HIBEs in the sense of IND- 
HID-CPA by using another adversary A who is able to break KE-CCA security 
of the proposed IKE. 

For given public parameters ph (1 < h < 3) which corresponds to HIBE/,, 
respectively, B chooses i! f| {0,1,2} and computes PGen H iBE,,(l fe ) = (•«}, p}} for 
1 < h < 3, h ^ i' + 1. Also, B sets (ib,l4,i4), {p\iP 2 ,p'-s) and (p\ . p' 2 , p.3) for 
i! = 0, 1 and 2, respectively, as (part of) public parameter of IKE and sends it 
to A. On A’s requests for the oracles, B answers to them following the next 
simulation: 

Simulation of LR. For an LR oracle query U*, time*, mo, toi from A, B simu- 
lates IKE’s LR oracle as follows. First, B sets a = i' + 1. For all h (1 < h < 3, h ^ 
a), B picks m h G R {0, l} n and r h G R {0, l} kl such that #i <h<z,h^aXn h = a for 
a G r {0, 1}”. Also, B sets m 0i o = mo ® a and m ai i = mi ® a. Then, B 
picks r a ,j € r {0, l} fel for j = 0,1, and sets U{ = U*, t/| = U*.T 0 ( time*) and 
f7| = {7*.Ti(time*).T 0 (time*). Also, B sends U*, (fn a) o||r ai o), (m a ,i||T ai i) to 
B ' s own LR oracle which corresponds to HIBE a , and the oracle returns challenge 
ciphertext c*. Next, B encrypts (TO/,||r/j) by the encryption algorithm of HI BE/, 
with p’ h and t/ ; (, and produces challenge ciphertexts c* h for 1 < h < 3, h ^ a. 
Finally, B returns ((c{, c%, C3), time*) to A. Note that B’s goal is to distinguish 
the underlying plaintext of c*. 

Simulation of H For Hh (1 < h < 3) oracle queries, B returns random val- 
ues if the query has never been asked before, otherwise B returns the same value 
as before. If a Hh query is identical to (mb', m/,, 011,^2, ^3) such that oj a = r a jy 
and u>h = fh (1 < h < 3, h ^ a) for some b' € {0, 1} (here, m a means m 0 y), B 
outputs (b',a) and halts. 

Simulation of KG. It is clear that for any of the KG queries, B can answer it 
perfectly by asking B' s own KG oracles. More precisely, on A’s request for a KG 
oracle query U (7^ U*), B can ask U to B’s KG oracle corresponding to HIBE a , 
as well as run user-secret generation algorithms of HI BE/, with master key s' h for 
l</i<3, h ^ a. Then, B produces d l 0 for 0 < i < 2 by using these results and 
return (d^,dl,do). 

Simulation of Kl. Interestingly, answers to A’s Kl oracle query can be perfectly 
simulated by B when i' is the “special level” (see Def. 2) chosen by A. Namely, 
B can perfectly answer any Kl oracle query by using B’s own KG oracles which 
corresponds to HIBE 0 and master keys s’ h (1 < h < 3, h / a) which correspond 
to HI BE/,. It should be noticed that the simulation is perfect even if U = U*. 
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Simulation of D. On A’s D query for U and (c, time), B searches for the 
combinations of A’s previous queries made to Hi,H 2 ,H 3 such that each of the 
combinations consists of the next three queries V’1 jV’2jV’ 3) where for 1 < i < 3, 
query is asked to H, and tpi forms (to, m,;, rq , r 2 . : r 3 ) for some n-bit strings 
rn, TOj and fci-bit strings ri,r2,r3 such that to* = to (note that m,ri,r 2 

and r 3 are common for all ipi,ip 2 and ip 3 ). If there exists such a combination 
whose corresponding ciphertext (for U and time) is identical to (c, time), then 
B returns to. Otherwise, B returns _L. 

When A outputs b', B also outputs (b 1 , a) as an answer for the IND-HID-CPA 
game for HIBE a . 

Now, we estimate B’s succeeding probability. Simulations of LR, H h (1 < 
h < 3), and KG are perfect. Simulation of Kl fails only when il is not the special 
level chosen by A. Therefore, if we let 1/2 + e A be the succeeding probability of 
A, then B’s succeeding probability can be estimated to be 1/2 + es where 

e B > + e A - Pr [H-Ask]) ■ Pr[ ,D-Fait\ 

where H-Ask denotes an event that (to^, to/*, cji,uj 2 ,uj 3 ) such that uj a = r a ^ and 
ujj = rj (j ^ a) is asked to Hh for some h, and D -Fail denotes an event that B 
rejects a D query which should not be rejected. 

Since it is informtion-theoretically impossible to find r a 5, we have Pr[H-Ask] < 
1 — (1 - l/ 2 kl ) qH i +qH 2 +Q H 3 where (1 < * < 3) are the numbers of queries 
made to Hi. Simulation of D fails only when A submits a ciphertext which should 
not be rejected, but its corresponding H, oracle query is not asked. Therefore, 
Pr[-iD-Fai/] > (1 — 7 max) q ° where qo is the number of queries for D, 7 max = 
max(7i,72,73) assuming that HI BE,; is 7;-uniform. 

Hence, we have 


1 + Qh 2 + gg 3 1 


2 1 1 
3 ’ 2 _ 2 


Also, if letting t A be A’s running time, then B’s running time can be estimated 
to be ts, where 


is < t A + 2 tenc + (2?kg + 5qm)TGEN 

4:gbC(?Hi + Qh 2 + qH 3 )TENC + qH 1 qH 2 QH 3 0(k)), 

assuming that the number of queries made to KG and Kl is c/ki and </ki , respec- 
tively, and running time of GenH| B E h an d EncniBE h are at most tgen and tenc , 
respectively, for any h and i. Therefore, e A is negligible if es, l/2 fcl and 7 max are 
all negligible, and hence, our proposed generic construction of IKE is KE-CCA 


secure. 
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Abstract. In this paper we describe a new identity-based signcryption 
(IBSC) scheme built upon bilinear maps. This scheme turns out to be 
more efficient than all others proposed so far. We prove its security in a 
formal model under recently studied computational assumptions and in 
the random oracle model. As a result of independent interest, we propose 
a new provably secure identity-based signature (IBS) scheme that is also 
faster than all known pairing-based IBS methods. 

1 Introduction 

Two fundamental services of public key cryptography are privacy and authentica- 
tion. Public key encryption schemes aim at providing confidentiality whereas dig- 
ital signatures must provide authentication and non-repudiation. Nowadays, no- 
ticeably, many real-world cryptographic application require those distinct goals 
to be simultaneously achieved. This motivated Zheng [39] to provide the cryp- 
tographer’s toolbox with a novel cryptographic primitive which he called ‘sign- 
cryption.’ The purpose of this kind of cryptosystem is to encrypt and sign data 
in a single operation which has a computational cost less than that of doing 
both operations sequentially. Proper signcryption schemes should provide confi- 
dentiality as well as authentication and non-repudiation. As in conventional en- 
cryption schemes, recovering the plaintext from a signcrypted message must be 

* This author’s work was supported the DGTRE’s First Europe Program of the 
Walloon Region in Belgium. 

** This author wishes to thank Enterprise Ireland for their support with this research 
under grant IF/2002/0312/N. 
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computationally infeasible without the recipients private key; as in conventional 
digital signatures, it must be computationally infeasible to create signcrypted 
texts without the senders private key. 

Identity based cryptography has become a very fashionable area of research 
for the last couple of years. The concept was originally introduced in 1984 by 
Shamir [34] whose idea was that users within a system could use their online 
identifiers (combined with certain system-wide information) as their public keys. 
This greatly reduces the problems with key management that have hampered 
the mass uptake of public key cryptography on a per individual basis. While 
identity-based signature schemes (IBS) rapidly emerged [20,23] after 1984 (see [5] 
for a thorough study of them), and despite another bandwidth-consuming pro- 
posal [18], it is only in 2001 that bilinear mappings over elliptic curve were found 
to yield the first fully practical identity-based encryption (IBE) solution [10]. 
Those bilinear maps, or pairings, subsequently turned out to yield a plenty of 
cryptographic applications [2] among which several recent outstanding results 
on identity-based encryption [7,8,21,36]. 

Several identity-based signcryption algorithms have been proposed so 
far, e.g. [11,14,16,17,26,27,30,33,37]. Within this handful of results, only 
[11,14,16,17,26,37] consider schemes supported by formal models and security 
proofs in the random oracle model [6]. Among them, Chen and Malone-Lee’s 
proposal [14] happens to yield the most efficient construction. 

The main contribution of this paper is to propose a new identity-based sign- 
cryption scheme that even supersedes [14] from an efficiency point of view at 
the expense of a security resting on stronger assumptions. The new construction 
can benefit from the most efficient pairing calculation techniques for a larger 
variety of elliptic curves than previous schemes. Indeed, recent observations [35] 
pinpointed problems arising when many provably secure pairing based protocols 
are implemented using asymmetric pairings and ordinary curves. Our proposal 
avoids those problems thanks to the fact that it does not require to hash onto an 
elliptic curve cyclic subgroup. As a result of independent interest, we discovered 
a new identity-based signature that happens to be faster at verification than 
previously known IBS schemes. 

This paper is organized as follows. Section 2 presents the basic security the- 
oretic concepts of bilinear map groups and the hard problems underlying our 
proposed algorithms. We describe our identity-based signature scheme and prove 
its security in section 3. We propose a new identity-based signcryption scheme 
in section 4, and compare its efficiency to various schemes in section 5. We draw 
our conclusions in section 6. 


2 Preliminaries 

2.1 Bilinear Map Groups and Related Computational Problems 

Let k be a security parameter and p be a fc-bit prime number. Let us consider 
groups Gi, G 2 and G t of the same prime order p and let P,Q be generators 
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of respectively Gi and G 2 . We say that (Gi,G 2 ,Gt) are bilinear map groups if 
there exists a bilinear map e : Gi x G 2 — ► G t satisfying the following properties: 

1. Bilinearity: V (S,T) £ Gi x G 2 , V a,b £ Z, e(aS,bT) = e(S,T) ab . 

2. Non-degeneracy: V S £ Gi, e(S,T) = 1 for all T £ G 2 iff <5 = O. 

3. Computability: V (S, T) £ Gi x G 2 , e(S,T) is efficiently computable. 

4. There exists an efficient, publicly computable (but not necessarily invertible) 
isomorphism ip : G 2 — » Gi such that ip(Q) = P. 

Such bilinear map groups are known to be instantiable with ordinary elliptic 
curves such as those suggested in [29] or [4] . In this case, the trace map can be 
used as an efficient isomorphism ip as long as G 2 is properly chosen [35]. With 
supersingular curves, symmetric pairings (i.e. Gi = G 2 ) can be obtained and ip 
is the identity. 

The computational assumptions for the security of our schemes were pre- 
viously formalized by Boneh and Boyen [9,7] and are recalled in the following 
definition. 

Definition 1 ([9,7]). Let us consider bilinear map groups (Gi,G 2 ,Gt) and 
generators P £ Gi and Q £ G 2 . 

The q -Strong Diffie- Heilman problem (q-SDHP) in the groups (Gi,G 2 ) 
consists in, given a (q+ 2)-tuple ( P , Q, aQ, a 2 Q , . . . , a q Q ) as input, finding 
a pair (c, -P ) with c £ Z*. 

The q- Bilinear Diffie-Hellman Inversion problem (q-BDHIP) in the 

groups (Gi, G 2 , Gt) consists in, given ( P , Q, aQ, a 2 Q , . . . , a q Q), computing 
e(P, Q) 1 / 01 £ Gt- 

3 A New Identity-Based Signature 

We here present a new identity-based signature that is significantly more efficient 
all known pairing based IBS schemes as its verification algorithm requires a single 
pairing calculation. This efficiency gain is obtained at the expense of letting the 
security rely on a stronger assumption than other provably secure pairing based 
IBS [12,15,24], 

Setup: given a security parameter k, the PKG chooses bilinear map groups 
(Gi, G 2 , Gt) of prime order p > 2 k and generators Q £ G 2 , P = ip(Q) € Gi, 
g = e(P, Q). It then selects a master key s Z*, a system- wide public key 
Qpub = sQ £ G 2 and hash functions Hi : {0, 1}* — > Z*, H 2 : {0, 1}* x Gt — » 
Z*. The public parameters are 

params := {Gi, G 2 , Gt, P, Q, g, Q pu b, e, ip, Hi, H 2 } 

Keygen: for an identity ID, the private key is Sid = gl (iD) +s -P- 
Sign: in order to sign a message M £ {0, 1}*, the signer 
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1. picks a random x ^ Z* and computes r = g x , 

2. sets h = H 2 (M, r) € Z*, 

3. computes S = (x + h)S\D- 

The signature on M is a = ( h , S) 6 Z* x Gi. 

Verify: a signature a = ( h , S') on a message M is accepted iff 
h = H 2 (M, e(S, iJi(ID)Q + 

The scheme can be thought of as an identity-based extension of a digital sig- 
nature discussed in two independent papers [9,38]. More precisely, the method 
for obtaining private keys from identities is a simplification of a method sug- 
gested by Sakai and Kasahara ([33]). 

In [25], Kurosawa and Heng described an identity-based identification (IBI) 
protocol that implicitly suggests an IBS described in appendix E and which can 
be proven secure under the same assumption as our proposal. It turns out that 
ours is slightly faster than the Kurosawa-Heng IBS in the signature generation. 

At Eurocrypt’04, Bellare, Namprempre and Neven established a frame- 
work [5] for proving the security of a large family of identity-based signatures 
and they only found two schemes to which their framework does not apply. The 
present one does not either fall into the category of schemes to which it applies. 
Indeed, it can be showed that our IBS does not result from the transformation of 
any convertible standard identification or signature scheme (in the sense of [5]) 
unless the g-SDHP is easy. A direct security proof is thus needed. 

3.1 Security Results 

We recall here the usual model [5,12,15,19,24] of security for identity-based sig- 
natures which is an extension of the usual notion of existential unforgeability 
under chosen- message attacks [22]. 

Definition 2 ([12]). An IBS scheme is existentially unforgeable under 
adaptive chosen message and identity attacks if no probabilistic polynomial time 
(PPT) adversary has a non-negligible advantage in this game: 

1. The challenger runs the setup algorithm to generate the system’s parameters 
and sends them to the adversary. 

2. The adversary T performs a series of queries to the following oracles: 

- Key extraction oracle: returns private keys for arbitrary identities. 

- Signature oracle: produces signatures on arbitrary messages using the 
private key corresponding to arbitrary identities. 

3. T produces a triple (ID*,M*,cr*) made of an identity ID*, whose private 
key was never extracted, and a message-signature pair ( M*,a *) such that 
(M*, ID*) was not submitted to the signature oracle. She wins if the verifi- 
cation algorithm accepts the triple (ID*, M*, cr*). 

The next lemmas establish the security of the scheme under the g-SDH assump- 
tion. Lemma 1 [12] allows to only consider a weaker attack where a forger is 
challenged on a given identity chosen by the challenger. The proof of lemma 2 
relies on the forking lemma [31,32]. 
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Lemma 1 ([12]). If there is a forger To for an adaptively chosen message and 
identity attack having advantage eo against our scheme when running in a time 
to and making q h, queries to random oracle hi, then there exists an algorithm T\ 
for an adaptively chosen message and given identity attack which has advantage 
e\ < eo(l — tjf) /qh, within a running time t\ < to- Moreover, T\ asks the same 
number key extraction queries, signature queries and H^- queries as To does. 

Lemma 2. Let us assume that there is an adaptively chosen message and given 
identity attacker T that makes qh t queries to random oracles H, (i = 1,2) and q s 
queries to the signing oracle. Assume that, within a time t, T produces a forgery 
with probability e > 10(g s + l)(q s + qh 2 )/ 2 fc . Then, there exists an algorithm B 
that is able to solve the q-SDHP for q = qh, in an expected time 

t' < 120686 q h2 (t + 0(q s T p ))/(e( 1 - q/2 k )) + 0(q 2 T mult ) 

where T mu i t denotes the cost of a scalar multiplication in G 2 and t p is the cost 
of a pairing evaluation. 

Proof. See appendix A. □ 

The combination of the above lemmas yields the following theorem. 

Theorem 1. Let us assume that there exists an adaptively chosen message and 
identity attacker T making qh , queries to random oracles Hi (i = 1,2) and q s 
queries to the signing oracle. Assume that, within a time t, T produces a forgery 
with probability e > 10(g s + 1 )(q , s + qh 2 )/ 2 fe . Then, there exists an algorithm B 
that is able to solve the q-SDHP for q = qh, in an expected time 

t' < 12068 6q h ,q h2 (t + 0(q s T p ))/(e( 1 - q/2 k )) + 0{q 2 T mu i t ) 

where T mu i t and t p respectively denote the cost of a scalar multiplication in G 2 
and the required time for a pairing evaluation. 

4 Fast Identity-Based Signcryption 

4.1 Formal Model of Identity-Based Signcryption 

The formal structure that we shall use for identity-based signcryption schemes 
is the following. 

Setup: is a probabilistic algorithm run by a private key generator (PKG) that 
takes as input a security parameter to output public parameters params and 
a master key mk that is kept secret. 

Keygen: is a key generation algorithm run by the PKG on input of params and 
the master key mk to return the private key Sid associated to the identity 
ID. 

Sign/Encrypt: is a probabilistic algorithm that takes as input public parameters 
params, a plaintext message M, the recipient’s identity ID#, and the sender’s 
private key S'id s > and outputs a ciphertext cr = Sign/Encrypt(M, Sid s , ID r ). 
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Decrypt/Verify: is a deterministic decryption algorithm that takes as input 
a ciphertext <j, public parameters params, the receiver’s private key S'id r 
and (optionally) a sender’s identity ID 5 before returning a valid message- 
signature pair (M, s) or a distinguished symbol _L if a does not decrypt into 
a message bearing signer IDg’s signature. 

Unlike recent works of [11,14] that present two-layer designs of probabilistic 
signature followed by a deterministic encryption, our construction is a single- 
layer construction jointly achieving signature and encryption on one side and 
decryption and verification on the other side. Although the description of our 
scheme could be modified to fit a two-layer formalism, we kept the monolithic 
presentation without hampering the non-repudiation property as, similarly to 
[11,14], our construction enables an ordinary signature on the plaintext to be 
extracted from any properly formed ciphertext using the recipient’s private key. 
The extracted message-signature pair can be forwarded to any third party in 
such a way that a sender remains committed to the content of the plaintext. 

Unlike models of [11,14] that consider anonymous ciphertexts, the above one 
assumes that senders’ identities are sent in the clear along with ciphertexts. Actu- 
ally, receivers do not need to have any a priori knowledge on whom the ciphertext 
emanates from in our scheme but this simply allows more efficient reductions in 
the security proofs. A simple modification of our scheme yields anonymous ci- 
phertexts and enables senders’ identities to be recovered by the Decrypt/Verify al- 
gorithm (which only takes a ciphertext and the recipient’s private key as input). 

Definition 3. An identity-based signcryption scheme (IBSC) satisfies the mes- 
sage confidentiality property ( or adaptive chosen- ciphertext security : IND-IBSC- 
CCA ) if no PPT adversary has a non-negligible advantage in the following game. 

1. The challenger runs the Setup algorithm on input of a security parameter k 
and sends the domain-wide parameters params to the A. 

2. In a find stage, A starts probing the following oracles: 

- Keygen: returns private keys associated to arbitrary identities. 

- Sign/Encrypt: given a pair of identities IDs, ID# and a plaintext M , it 
returns an encryption under the receiver’s identity ID# of the message 
M signed in the name of the sender IDs- 

- Decrypt/Verify: given a pair of identities (IDs, ID#) and a ciphertext a, 
it generates the receiver’s private key S\o R = Keygen(ID#) and returns 
either a valid message-signature pair (M, s) for the sender’s identity IDs 
or the T symbol if, under the private key S)d k , does not decrypt into 
a valid message-signature pair. 

3. A produces two plaintexts Mo, Mi £ M. and identities ID# and ID#. 
She may not have extracted the private key of ID# and she obtains C = 
Sign/Encrypt(Mf,, Sidj, ID#, params), for a random a bit b ^ {0, 1}. 

4- In the guess stage, A asks new queries as in the find stage. This time, she 
may not issue a key extraction request on IDjij and she cannot submit C to 
the Decrypt/Verify oracle for the target identity ID#. 

5. Finally, A outputs a bit b' and wins if b' = b. 
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A’s advantage is defined as Adv(A) := 2 x Pr[6' = b] — 1. 

The next definition, given in [11], considers non-repudiation w.r.t. signatures 
embedded in ciphertexts rather than w.r.t. ciphertexts themselves. 

Definition 4. An identity-based signcryption scheme (IBSC) is said to be ex- 
istentially signature-unforgeable against adaptive chosen messages and ci- 
phertexts attacks (ESUF-IBSC-CMA) if no PPT adversary can succeed in the 
following game with a non-negligible advantage: 

1. the challenger runs the Setup algorithm on input k and gives the system-wide 
public key to the adversary T . 

2. T issues a number of queries as in the previous definition. 

3. Finally, T outputs a triple (a*, IDlj, ID]}) and wins the game if the sender’s 
identity IDg was not corrupted and if the result of the Decrypt/Verify ora- 
cle on the ciphertext a* under the private key associated to ID]} is a valid 
message-signature pair ( M*,s *) such that no Sign/Encrypt query involved 
M* , ID5 and some receiver ID}j (possibly different from ID]}} and resulted 
in a ciphertext a' whose decryption under the private key Sid^ is the alleged 
forgery ( M * , s * , I D]}) . 

The adversary’s advantage is its probability of victory. 

In both of these definitions, we consider insider attacks [1]. Namely, in the 
definition of message confidentiality, the adversary is allowed to be challenged on 
a ciphertext created using a corrupted sender’s private key whereas, in the notion 
of signature non-repudiation, the forger may output a ciphertext computed under 
a corrupted receiving identity. 

4.2 The Scheme 

Our scheme is obtained from an optimized combination of our IBS scheme 
with the most basic version of the Sakai-Kasahara IBE ([33,13]) which is only 
secure against chosen-plaintext attacks when used as an encryption-only sys- 
tem. This allows performing the signature-encryption operation without com- 
puting a pairing whereas only two pairings have to be computed upon decryp- 
tion/verification. 

Setup: given k, the PKG chooses bilinear map groups (Gi,G 2 ,Gt) of prime 
order p > 2 k and generators Q e G2, P = ^(Q) S Gi, g = e(P, Q) € G t- It 
then chooses a master key s At Z*, a system- wide public key Q pu b = sQ € 
G2 and hash functions Hi : {0, 1}* — > Z*, H 2 : {0, 1}* x G t — > Z* and 
H 3 : G t — ► {0, 1}". The public parameters are 

params := {Gi, G2, Gt, P, Q, g, Qpub, e, if, Hi, H 2 , H 3 } 

Keygen: for an identity ID, the private key is Sm = ffl (iD) +s <3 e G 2 . 
Sign/Encrypt: given a message M e {0,1}*, a receiver’s identity ID S and a 
sender’s private key Sid^, 
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1. Pick x ^ Z* compute r = g x and c = M ® H 3 (r) £ {0, 1}". 

2. Set h = H 2 {M, r) £ Z*. 

3. Compute S' = (x + h)ip(StD A ). 

4. Compute T = x(Ih(ID B )P + if>(Q pub )). 

The ciphertext is a = (c, S, T) £ {0, 1}" xGi xGi. 

Decrypt/Verify: given a = ( c,S,T }, and some sender’s identity ID4, 

1. Compute r = e(T, Sid b ), M = c® H 3 (r), and h = H 2 (M,r). 

2 . Accept the message iff r = e(S, Hi(\Da)Q + Q pu b)g~ h ■ If this condition 
holds, return the message M and the signature ( h,S ) £ Z* x Gi. 

If required, the anonymity property is obtained by scrambling the sender’s 
identity ID4 together with the message at step 1 of Sign/Encrypt in such a 
way that the recipient retrieves it at the first step of the reverse operation. 
This change does not imply any computational penalty in practice but induces 
more expensive security reductions. In order for the proof to hold, ID 4 must be 
appended to the inputs of H^. 


4.3 Security Results 


The following theorems claim the security of the scheme in the random oracle 
model under the same irreflexivity assumption as Boyen’s scheme [11]: the signa- 
ture/encryption algorithm is assumed to always take distinct identities as inputs 
(in other words, a principal never encrypts a message bearing his signature using 
his own identity). 


Theorem 2. Assume that an IND-IBSC-CCA adversary A has an advantage e 
against our scheme when running in time t, asking q bi queries to random oracles 
Hi (i = 1,2,3), q se signature/ encryption queries and qa v queries to the decryp- 
tion/verification oracle. Then there is an algorithm B to solve the q-BDHIP for 
q = q bl with probability 


qi n(Zqh 2 + qh 3 ) ' 


*)(*-!?) 


within a time r' < T+0(q se +qdv)T p +0(cft l /)T mu it+0(q < ivqh/)T exp where r exp and 
Tmuit are respectively the costs of an exponentiation in Gt and a multiplication 
in G2 whereas t p is the complexity of a pairing computation. 


Proof. See appendix B. 


□ 


Theorem 3. Assume there exists anESUF-IBSC-CMA attacker A thatmakesqhi 
queries to random oracles Hi(i= 1 , 2 , 3) , q se signature/ encryption queries and qa v 
queries to the decryption/verification oracle. Assume also that, within a time t, A 
produces a forgery with probability e > 10(g se + 1 )(q se + qh 2 )/2 k - Then, there is an 
algorithm B that is able to solve the q-SDHP for q = q ^ in expected time 


t' < 120686g ?ll <2 , / (2 


T + 0((q se + qdv)T p ) + qdvQhiTexp 

e (l — l/2 fc )(l — q/2 k ) 


+ 0(q 2 T mu it) 


where T mu i t , r exp and t p denote the same quantities as in theorem 2. 


Proof. See appendix C. 


□ 
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We now restate theorem 2 for the variant of our scheme with anonymous 
ciphertexts. The simulator’s worst-case running time is affected by the fact that, 
when handling Decrypt/Verify requests, senders ’identities are not known in ad- 
vance. The reduction involves a number of pairing calculations which is quadratic 
in the number of adversarial queries. 


Theorem 4. Assume that an IND-IBSC-CCA adversary A has an advantage e 
against our scheme when running in time t, asking q /, 4 queries to random oracles 
Hi (i = 1,2,3), q se signature/ encryption queries and qa v queries to the decryp- 
tion/verification oracle. Then there is an algorithm B to solve the q-BDHIP for 
q = qh ! with probability 


qh t (2g?, 2 + qh 3 ) 


a ) o-f) 


within a time t' < r + 0(q se + qdvQh 2 ) T p + 0(qf li )T mu u + 0{qd v qh 2 )T e xp where 
T~exp> T mu it and T p denote the same quantities as in previous theorems. 


Proof. See appendix D. 


□ 


Theorem 3 can be similarly restated as its reduction cost is affected in the same 
way. 

A formal proof of ciphertext anonymity in the model of [11] will be given in 
the full version of this paper for the anonymous version of the scheme. 

We concede that even the latter variant does not feature all the properties 
of the systems of Boyen ([11]) or Chen-Malone-Lee ([14]). For example, it does 
not have the ciphertext unlinkability property ([11,14]): it seems infeasible for 
anyone to use his private key to embed a given message-signature pair into a 
proper ciphertext intended to himself. We were also unable to formally estab- 
lish the ciphertext authentication property according to which a ciphertext is 
always signed and encrypted by the same person and cannot be subject to a 
kind of ‘man-in-the-middle’ attack. Nevertheless, the scheme does seem to have 
this property because of the same reason that precludes the ciphertext unlinka- 
bility property. 

Overall, we believe that the scheme does satisfy the main requirements that 
might be desired in practice. In our opinion, it suffices to implement most prac- 
tical applications and its great efficiency renders it more than interesting for 
identity-based cryptography. 


5 Efficiency Discussions and Comparisons 

In [35], Smart and Vercauteren pointed out problems that arise when several 
pairing based protocols are implemented with asymmetric pairings. They showed 
the difficulty of finding groups G 2 allowing the use of the most efficient pairing 
calculation techniques for ordinary curves [3] if arbitrary strings should be ef- 
ficiently hashed onto them and efficient isomorphism ip : G 2 — > Gi must be 
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available at the same time. As a consequence, several protocols have to be im- 
plemented with groups for which no efficient isomorphism if) : G 2 — > Gi is 
computable and their security eventually has to rely on somewhat unnatural 
assumptions. 

Except [33] that has no security proof (and actually has several known secu- 
rity problems [28]), all known identity-based signcryption schemes would require 
to hash onto G 2 if they were instantiated with asymmetric pairings. Our scheme 
avoids this problem since it does not require to hash onto a cyclic group. It thus 
more easily benefits from optimized pairing calculation algorithms. For example, 
section 4 of [35] yields an example of group G 2 for which techniques of [3] can 
be used and where efficient isomorphisms are available. 

We now assess the comparative efficiency of several identity-based signcryp- 
tion schemes, implemented according to their original descriptions. Table 1 sum- 
marises the number of relevant basic operations underlying several identity-based 
signcryption and signature schemes, namely, G t exponentiations, scalar point 


Table 1 . Efficiency comparison 



Sign/Encrypt 

Decrypt /Verify 

signcryption scheme 

exp 

mul 

pairings 

time (ms) 

exp 

mul 

pairings 

time (ms) 

Boyen ([11]) 

i 

3 

jt 

9.37 


2 

4 T 

12.66 

Chow-Yiu-Hui-Chow 11 ([16]) 


2 

2* 

7.24 


1 

4* 

11.88 

Libert-Quisquater 11 * ( [26] ) 


2 

2* 

7.24 


1 

4* 

11.88 

N alia- Reddy ^ ([30]) 

i 

2 

# 

8.43 

i 


,# 

9.06 

Malone-Lee* ([27]) 


3 

1* 

5.47 


1 

3 

9.06 

Chen-Malone-Lee ([14]) 


3 

l 1 

5.47 


1 

3 

9.06 

Sakai-Kasahara* ([33]) 

2 

1+1 § 


6.41 

i 


2 

9.37 

Libert-Quisquater 1 * 1 ([26]) 


3 

l 1 

5.47 


1 

2 

6.41 

ours 

1 

2 


2.65 

i 


2 

6.09 


Sign 

Verify 

signature scheme 

exp 

mul 

pairings 

time (ms) 

exp 

mul 

pairings 

time (ms) 

Chow-Yiu-Hui-Chow ([16]) 


2 


3.60 



2 T 

6.41 

Hefi([24]) 

1 

2 


2.50 

1 


2+ 

6.41 

Cha-Cheon ([12]) 


2 


1.87 


1 

2 

6.41 

ours 


2 


1.56 


1 

1 

3.60 


(f) One pairing is precomputable, incurring for each user a storage cost of one Gt element for each 
other user in the system. 

(t) One pairing is precomputable, incurring for each user a storage cost of one Gt element for each 
other user in the system, plus one Gt exponentiation. 

(★) Two pairings are precomputable, incurring for each user a storage cost of one Gt element for 
each user in the system, plus two Gt exponentiations. 

(§) One of the scalar multiplications is done in (Q) rather than ( P ) where (P, Q ) generates E\p]. 
(^f) Universally verifiable scheme (i.e. supports public ciphertext validation). 

(Jfc) These schemes suffer from security problems as mentioned in [26,28]. 

(4(b) This scheme does not provide insider-security for the message-confidentiality criterion. 

(<» This scheme has no security proof. 

(tx) This construction can only authenticate messages from the receiver’s point of view. 
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multiplications, and pairing evaluations, and compares the observed processing 
times (in milliseconds) for a supersingular curve of embedding degree k = 6 over 
F397, using implementations written in C++ and run on an Athlon XP 2 GHz. 
Subtleties in the algorithms determine somewhat different running times even 
when the operation counts for those algorithms are equal. We see from these 
results that our proposed algorithms rank among the fastest schemes. 

6 Conclusion 

We have described efficient and provably secure signature and signcryption 
schemes that are faster than any pairing-based scheme previously proposed in 
the literature. The latter can be instantiated with either named or anonymous 
ciphertexts and is more convenient than previous proposals for implementations 
with asymmetric pairings. 
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A Proof of Lemma 2 

Proof. We first show how to provide the adversary with a consistent view and 
we then explain how to apply the forking lemma. 

Algorithm B takes as input (P, Q, aQ, a 2 Q , . . . , a q Q) and aims to find a pair 
(c, In a setup phase, it builds a generator G £ Gi such that it knows 

q— 1 pairs (wi, w * +a G) for w \, . . . , w q - 1 Z*. To do so, 

1. It picks v'i , :U - 2 , w q -i Z * and expands f(z) = + w % ) to obtain 

Co, . . . , c q -i e Z* so that f(z) = YLlZo Qp- 

2. It sets generators H = Yli=o c i( aZ Q ) = fi a )Q € ^2 and G = ip(H) = 
f(a)P e Gi. The public key H pub G G 2 is fixed to H pub = Ya= 1 c i-i( al Q) 
so that H pub = aH although B does not know a. 

3. For \ < i < q—\, B expands fi(z) = f(z)/(z + wf) = Y'.ffn diZ 1 and 

q '£dMa i Q) = f i (a)P=^-P=—!—G. (1) 

a + Wi a + Wi 

The pairs (wi, a ^ w . G) are computed using the left member of (1). 

B is then ready to answer P’s queries along the course of the game. It first 
initializes a counter l to 1 and launches T on the input (H pub , ID*) for a randomly 
chosen challenge identity ID* <-5 { 0 , 1}*. For simplicity, we assume that queries 
to Pi are distinct, and that any query involving an identifier ID is preceded by 
the random oracle query ip (ID). 
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- Wi -queries on an identity ID G { 0 , 1 }*: B returns a random w* ^ Z* if 
ID = ID*. Otherwise, B answers w = vj( G Z* and increments £. In both 
cases, B stores (ID,w) (where w* = w or wt) in a list L\. 

- Key extraction queries on ID ^ ID*: B recovers the matching pair (ID, vj) 
from L[ and returns the previously computed (l/(a + w))G. 

- Signature query on a message-identity pair ( M , ID): B picks S ^ Gi, h ^ 
Z p , computes r = e(S,Qio)e(G, H)~ h , where Qid = H\[\D)H + H pub , and 
backpatches to define the value H2(M, r) as h G Z* (B aborts in the unlikely 
event that H2(M,r) is already defined). 

We have explained how to simulate environment in a chosen-message and 
given identity attack. We are ready to apply the forking lemma that essen- 
tially says the following: consider a scheme producing signatures of the form 
(M,r,h, S), where each of r,h,S corresponds to one of the three moves of a 
honest-verifier zero-knowledge protocol. Let us assume that a chosen-message 
attacker T forges a signature (M, r, h, S ) in a time t with probability e > 
10(g s + l)(<7s + Qh)/ 2 fe ( k being a security parameter so that h is uniformly 
taken from a set of 2 k elements) when making q s signature queries and qu ran- 
dom oracle calls. If the triples (r, h, S) can be simulated without knowing the 
private key, then there exists a Turing machine T' that uses T to produce two 
valid signatures (m,r,hi,Si), (to, r, /12, S2), with hi ^ /12, in expected time 
f < 120686 qht/e. 

In our setting, from a forger T, we build an algorithm T' that replays T a 
sufiicient number of times on the input (H pub , ID*) to obtain two suitable forg- 
eries (M*,r,hi,Si), (M* ,r,h2, S2) with hi ± /12. 

The reduction then works as follows. The simulator B runs T' to obtain two 
forgeries (M*, r, hi, Si), [M* , r, /12, S2) for the same message M* and commit- 
ment r. At this stage, B recovers the pair (ID*, «:*) from list L t . We note that 
w* ± wi, . . . ,w q - 1 with probability at least I ■ q/ 2 k . If both forgeries satisfy 
the verification equation, we obtain the relations 

e(Si,Q tD *)e(G,H )~ h 1 = #(S 2 , Q, D *)e(G, H)~\ 
with Q| D . = Hi{\D*)H + H pub = ( w * + a)H. Then, it comes that 
e((hi - h 2 )-\Si - S 2 ), Qid*) = e(G, H), 
and hence T* = (hi — /i2) _1 (<S'i — .S'2) = w * +a G. From T*, B can proceed as 
in [ 9 ] to extract a* = —P\ it first obtains 7_i, 70, . . . , 7 q _2 € Z* for which 

f(z)/(z + w*) = 7_i/(z + w*) + l*- 2 * an d eventually computes 

1 [ 9- 2 

u* = — \t* - 

7 1 L *= 0 

before returning the pair (w* , a*) as a result. 

It finally comes that, if T forges a signature in a time t with probability 
e > 10 ((/ s + l)(q s + qh 2 )/ 2 fc , B solves the g-SDHP in expected time 
t' < 120686 q h2 (t + 0 (q s T p ))/(e( 1 - q/ 2 k )) + 0 (q 2 T muH ) 
where the last term accounts for the cost of the preparation phase. □ 
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B Proof of Theorem 2 

Proof. Algorithm B takes as input (P, Q. aQ. a 2 Q , . . . , o q Q) and attempts to 
extract e(P,Q) 1 ^ a from its interaction with A. 

In a preparation phase, B selects £ A q hl }, elements I? A Z* and 

ttfj, . . . , we-i,we+i . . . , w q A Z*. For i = 1,^+1 , ... ,q, it computes 

Ii = If — 'w t . As in the technique of [9] and in lemma 2, it sets up generators 
G 2 £ G2, G\ = 'fiG'i) £ <Gi and another G2 element U = aG 2 such that it knows 
q — 1 pairs = (1 /{wi + a))G2) for i £ {1, . . . ,g r }\{^}. The system-wide 

public key Q pu b is chosen as 

Q P ub = -U-I e G 2 = (-a-I e )G 2 

so that its (unknown) private key is implicitly set to x = — a — I( e Z*. For all 
i£{l,...,q}\{£},wehave(I i ,-H i ) = (I i ,(l/(I i +x))G 2 ). 

B then initializes a counter v to 1 and starts A on input of (G \ , G 2 - Qjmb)- 
Throughout the game, we assume that /A -queries are distinct, that the target 
identity ID^ is submitted to Hi at some point and that any query involving an 
identity ID comes after a -query on ID: 

- f/i -queries (let us call ID,, the input of the v th one of such queries): B answers 
/„ and increments v. 

- f/2-queries on input (M, r): B returns the defined value if it exists and a 
random h 2 A Z* otherwise. To anticipate possible subsequent Decry pt/Verify 
requests, B additionally simulates random oracle H3 on its own to obtain 
/13 = HAr) £ {0,1}" and stores the information (M, r, h 2 , c = M ® /13, 7 = 
r ■ e{Gi,G 2 ) h *) A L 2 . 

- f/3-queries for an input r £ G t- B returns the previously assigned value if it 
exists and a random /13 A {0, 1}" otherwise. In the latter case, the input r 
and the response /13 are stored in a list L 3 . 

- Keygen queries on an input ID,,: if v = £, then B fails. Otherwise, it knows 
that i?i(IDy) = /„ and returns — H v = (1 /(/„ + x)) G 2 £ G2. 

- Sign/Encrypt queries for a plaintext M and identities (IDg, ID/j) = (ID ; ,, ID,,) 
for fi, v £ {1, . . . , q \ lx }: we observe that, if // A ^ B knows the sender’s private 
key S\ d m = — H tl and can answer the query according to the specification of 
Sign/Encrypt. We thus assume n = l and hence v A £ by the irreflexivity 
assumption. Observe that B knows the receiver’s private key ,S'id„ = —H v by 
construction. The difficulty is to find a random triple (S, T, h) £ G i x G i x Z* 
for which 

e(T, SmJ = e(S, QiD e )e(Gi,G 2 )~ h (2) 

where Q\o t = I(G 2 + Q pu b- To do so, B randomly chooses t,h A Z* and 
computes S = tip(S\D„) = —tipiH^), T = ttfiQiOe) — hif(Q\o l/ ) where 
Q\d„ = IvG 2 + Qpub in order to obtain the desired equality r = e(T, Sid„) = 
e(S,Q\D e ) e (Gi,G 2 )~ h = e(ip(S\D I/ )>QiD e ) te (Gi,G 2 )~ h before patching the 
hash value H 2 (M,r) to h (B fails if H 2 is already defined but this only hap- 
pens with probability (q se + qh 2 )/ 2 k ). The ciphertext 0 = (M ® H 3 (r),S, T) 
is returned. 
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- Decry pt/Verify queries on a ciphertext a = ( c,S,T } for identities 
(IDs, ID fl ) = (ID m , ID^): we assume that v — i (and hence p A i by the ir- 
reflexivity assumption), because otherwise B knows the receiver’s private key 
Sid,, = —H v and can normally run the Decrypt/Verify algorithm. Since p A 1, 
B has the sender’s private key S'id ( 1 and also knows that, for all valid cipher- 
texts, logs |D ( ip~ 1 (S ) — hS\o^) = log^,(Q ID )(T), where h = H 2 (M, r) is the 
hash value obtained in the Sign/Encrypt algorithm and Q\d„ = I V G 2 + Q pu b- 
Hence, we have the relation 

e(r, SidJ = e(ip(Q\D v ),ip~ 1 (S) - hS , D J (3) 

which yields e(T, S| D( J = e(ip(Q\D u ),ip~ 1 (S))e(ip(Q\ D J, SioJ~ h . We ob- 
serve that the latter equality can be tested without inverting ip as 
e{ip{Q\o„), ip~ 1 (S)) = e(S, <Qid„)- The query is thus handled by computing 
7 = e(S, Qid,J, where Qid„ = I P G 2 + Q pu b, and searching through list L 2 
for entries of the form ( M, , n, h 2 ,i, c, 7) indexed by I £ qi, 2 }- If none 

is found, cr is rejected. Otherwise, each one of them is further examined: for 
the corresponding indexes, B checks if 

e(T, SmJfeQS, QidJ = e(iP(Q^),S m J~ h ^ (4) 

(the pairings are computed only once and at most qh 2 exponentiations are 
needed), meaning that (3) is satisfied. If the unique i £ (1 . . . . , qi l2 } satisfying 
(4) is detected, the matching pair (M i5 (h 2ti , S)) is returned. Otherwise, a is 
rejected. Overall, an inappropriate rejection occurs with probability smaller 
than q<iv/2 k across the whole game. 

At the challenge phase, A outputs messages (Mo, Mi) and identities (IDg, ID#) 
for which she never obtained ID As private key. If ID# A ID/, B aborts. Otherwise, 
it picks £ *2. 2*, c ^ {0, l} n and S Gi to return the challenge a* = (c, S,T) 
where T = — £Gi £ Gi. If we define p = £/a and since x = —a — Ie, we can 
check that 

T = —£Gi = —apG\ = (Ie + x)pGi = pI(G\ + pip{Q pu b)- 

A cannot recognize that a* is not a proper ciphertext unless she queries H 2 or 
H 2 on e(Gi,G 2 ) p . Along the guess stage, her view is simulated as before and 
her eventual output is ignored. Standard arguments can show that a successful 
A is very likely to query H 2 or H 3 on the input e(Gi,G 2 ) p if the simulation is 
indistinguishable from a real attack environment. 

To produce a result, B fetches a random entry (M, r, h 2 ,c, 7) or (r, .) from 
the lists L 2 or L 3 . With probability 1/(2 qh 2 + qh 3 ) (as L :i contains no more than 
(: lh 2 + Qh 3 records by construction), the chosen entry will contain the right element 
r = e(Gi, G 2 ) p = e(P, Q)f( a ) a t/ a , where f(z) = YtZ 0 c i zl is the polynomial for 
which G 2 = f(a)Q. The g-BDHIP solution can be extracted by noting that, if 
7* = e{P,Q) 1 /°‘, then 

q-2 q - 2 

e(G 1 ,G 2 ) 1 / a = 7 * (Co) e( £ c i+1 (AP), coQ)e(G 1: £ c j+1 (a^)Q) . 
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In an analysis of B’s advantage, we note that it only fails in providing a 
consistent simulation because one of the following independent events: 


E\\ A does not choose to be challenged on ID/. 

E' 2 '. a key extraction query is made on ID/. 

£3 : B aborts in a Sign/Encrypt query because of a collision on H 2 . 
£4: B rejects a valid ciphertext at some point of the game. 


We clearly have Pr[-i£i] = 1 /q^ and we know that -£-1 implies -£2. We also 
already observed that Pr[£ 3 ] < q se (q S e + Qh 2 )/2 k and Pr[£4] < qa v / 2 fc . We thus 
find that 


Pr[-i£i A ->E 3 A -i£ 4 ] > I 1 - 


a ) (‘-I?) 


We obtain the announced bound by noting that B selects the correct element 
from Z/2 or L 3 with probability 1/(2 qh 2 + qh 3 )- Its workload is dominated by 
0(qf li ) multiplications in the preparation phase, 0{q se + q<iv) pairing calculations 
and 0(qd v qh 2 ) exponentiations in Gt in its emulation of the Sign/Encrypt and 
Decrypt/Verify oracles. □ 


C Proof of Theorem 3 

Proof. The proof is almost similar to the one of theorem 1. Namely, it shows 
that a forger in the ESUF-IBSC-CMA game implies a forger in a chosen-message 
and given identity attack. Using the forking lemma [31,32], the latter is in turn 
shown to imply an algorithm to solve the //-Strong Difhe-Hellman problem. More 
precisely, queries to the Sign/Encrypt and Decrypt /Verify oracles are answered as 
in the proof of theorem 2 and, at the outset of the game, the simulator chooses 
public parameters in such a way that it can extract private keys associated to 
any identity but the one which is given as a challenge to the adversary. By doing 
so, thanks to the irreflexivity assumption, it is able to extract clear message- 
signature pairs from ciphertexts produced by the forger (as it knows the private 
key of the receiving identity ID^j). □ 


D Proof of Theorem 4 

Proof. The simulator is the same as in theorem 2 with the following differences 
(recall that senders’ identities are provided as inputs to H 2 ). 

- ^-queries on input (IDs, M, r): B returns the previously defined value 
if it exists and a random h 2 Z* otherwise. To anticipate subsequent 
Decry pt/Verify requests, B simulates oracle £3 to obtain h 3 = H 3 (r) G 
{0, l} n + n ° (where no is the maximum length of identity strings) and stores 
{\D s ,M,r,h 2 ,c= (M\\\D S ) ® h 3 ,^ = r ■ e(G u G 2 ) h2 ) in list L 2 . 
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- Decrypt/ Verify queries: given a ciphertext a = (c, S, T) and a receiver’s iden- 
tity ID# = ID„, we assume that v = l because otherwise B knows the 
receiver’s private key. The simulator B does not know the sender’s identity 
IDs but knows that IDs ^ ID,,. It also knows that, for the private key < 5103 , 
1 °gS| Ds (V ,-1 ('S') - hSio s ) = log v ,( Q|D ^)(T"), and hence 

e(T,5, Ds ) = e('tp(Q\D v ),ip~ 1 (S) - hS lDg ), (5) 

where h = H 2 (\Ds- M. r) is the hash value obtained in the Sign/ Encrypt 
algorithm and Q\d u = PG 2 + Qpub ■ The query is handled by searching 
through list L 2 for entries of the form (IDs ,;, M,, r,;, h 2 .i, c,'Ti) indexed by 
i £ {1, . . . , qh 2 }- If none is found, the ciphertext is rejected. Otherwise, each 
one of these entries for which IDs,* ^ ID,, is further examined by checking 
whether 7 * = e(S , fJi(IDs,*)Q + Qpub) and 

e(T,«SiD s ,J/e(5,Q| D J = S lDSti )~ h2 \ (6) 

(at most 3qh 2 + 1 pairings and qh 2 exponentiations must be computed), 
meaning that equation (5) is satisfied and that the ciphertext contains a 
valid message signature pair if both relations hold. If B detects an index 
i £ {1, . . . , qh 2 } satisfying them, the matching pair (Mi, (h^.u S )) is returned. 
Otherwise, a is rejected and such a wrong rejection again occurs with an 
overall probability smaller than q^ v / 2 k . □ 

E The Kurosawa-Heng Identity-Based Signature 

We describe here the IBS scheme that can be derived from a modification of the 
Kurosawa-Heng [25] identity-based identification scheme using the Fiat-Shamir 
heuristic [20]. 

Setup and Keygen are the same as in our scheme described in section 3. The 
public parameters are 

params := {Gi, G 2 , <Gt, P, Q, g, Q pu b, e, ip, Hi, H 2 }- 
We also define Q\ D = H\(\D)Q + Q pub . 

Sig n: to sign a message M e {0, 1}*, the signer does the following: 

1. picks x Z* and computes r = e(P, Qid) x € G t, 

2. sets h = H 2 (M, r ) € Z*, 

3. computes S = xP + hS\o- 

The signature on M is a = ( h , S) € Z* x Gi. 

Verify: a signature a = ( h , S) on a message M is accepted iff 
h=H 2 (M,e(S,Q> D )g- h ). 

The above IBS can be proven secure under the (/-Strong Diffie-Hellman assump- 
tion. Even in its optimized version where e(P, Hi (ID)Q + Qpub) is pre-computed 
by the signer, its signature generation algorithm happens to be slightly more 
expensive than our scheme’s one which requires a simple scalar multiplication 
at step 3. 
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Fig. 1. Comparison of our approach to Goldwasser-Waisbard, Camenisch-Shoup, and 
Camenisch-Michels. Here A is a security parameter. We achieve efficient Confirm and 
Disavow protocols without using random oracles. Section 5 explains these results in 
detail. 

an instantiation using Pedersen Commitments [23] together with Camenisch and 
Shoup’s [6] variant of Paillier’s cryptosystem [22]. This approach achieves Con- 
firm and Disavow protocols without appealing to generic zero-knowledge proofs 
and without appealing to random oracles independent of the choice of signature 
scheme. The resulting Confirm protocol requires 5 exponentiations (compared to 
320 for Goldwasser-Waisbard) and our Disavow protocol requires 17,000 mod- 
ular multiplications (whereas Goldwasser-Waisbard require a potentially very 
expensive generic zero-knowledge proof) . Of course, we base our security on the 
security of Paillier’s cryptosystem and on the security of Pedersen commitments, 
whereas Goldwasser and Waisbard require different assumptions than we do; we 
elaborate on this, and other aspects of the comparison, in Section 5. Third, 
we show that the resulting Confirm and Disavow protocols are zero-knowledge 
(whereas Goldwasser-Waisbard provide strong witness hiding proofs of knowl- 
edge), even against cheating verifiers, by combining the Camenisch-Shoup pro- 
tocols with techniques of Cramer, Damgard and MacKenzie [13]. 

2 Preliminaries 

Throughout A is a positive integer denoting the security parameter. The security 
parameter is an implicit input to the algorithms discussed throughout the paper 
(and we omit it from the list of inputs when it might be otherwise clear from 
context). Let negl(A) denote a negligible function; i.e., one that grows smaller 
than 1/A C for all c and all sufficiently large A. For a positive integer a, we let 
[a] denote the set (0, . . . , a — 1}. If Alg(- , • , . . .) is a probabilistic algorithm, then 
Alg(:ti, X 2 , . . .) is a probability space over the random choices made by Alg. We let 
x <— Alg(.'Ci , a,' 2 , . . .) denote the experiment of running Alg on inputs X\ , x -2 , . . ., 
where x is a discrete random variable denoting the outcome. Note that Alg 
implicitly induces a distribution on the possible outputs. For a set S, we let [S'] 
denote the number of elements in S. If S is defined by a mathematical group, 
then | S' | is the group order. If S is equipped with a probability distribution 
D, we let x < — S denote the experiment of choosing x € S according to D. 
We typically let the underlying distribution be the uniform distribution R. In 
our context an adversary (denoted by A, T , etc. depending on the situation) 
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is a probabilistic polynomial time random access machine with oracle access to 
some number k of oracles, each of which is capable of computing some specified 

function. If (f\, f K ) is a K-tuple of (oracle implemented) functions, and A is 

a K-oracle adversary, then A? 1 ’’’f denotes the adversary augmented with its 
oracles. An adversary may also have oracle access to a protocol, in which case the 
adversary provides protocol inputs from one side of the protocol (e.g., a verifier 
in an interactive proof system) and has oracle access to the responses from the 
other side of protocol (e.g., a prover in an interactive proof system). As above, 
the adversary on a given set of inputs induces a probability space, and we can 
associate a discrete random variable to the output of the experiment of running 
the adversary on a given set of inputs equipped with a given set of oracles. We 
now describe some of the tools required for our construction. 

Proofs of Knowledge. Some of our protocols will be proofs of knowledge 
(PoK), as defined by Bellare and Goldreich [3]. Informally, an interactive proof 
(P, V) for a relation R = {a, /?} is a proof of knowledge if there exists a prob- 
abilistic polynomial time knowledge extractor E who can extract a witness /3 
given oracle access to a (possibly cheating) prover. The knowledge extractor is 
allowed to rewind the prover if necessary. The knowledge error of a ZKPoK 
quantifies the success probability of the extractor in terms of the prover’s prob- 
ability of convincing the verifier. Specifically, let P be a prover with respect to 
a. We say that the proof of knowledge has knowledge error n(a) if, when the 
prover succeeds with probability e(a) the knowledge extractor E p succeeds with 
probability at least e(a) — n(a). 

Zero-Knowledge Proofs. The well-known Chaum-Pedersen protocol 
for proving equality of discrete logarithms and the Camenisch-Shoup proto- 
cols (which we describe below), are special honest-verifier zero-knowledge Id- 
protocols [19] (SHVZK). This means that the protocols are public-coin and can 
be simulated assuming an honest verifier (i.e., a verifier that picks challenges 
uniformly at random). The special property means there is a simulator that, 
given the challenge of a verifier, can create the prover’s messages. 

The zero-knowledge proofs in our DCS scheme, however, must be zero- 
knowledge even against arbitrarily cheating verifiers. Moreover, we must be care- 
ful that our ZK proofs in our scheme not only reveal nothing about the witness, 
but also that the transcripts of a “real-world” interaction between the prover 
and a verifier in the ZK proof are indistinguishable from a transcript that a 
probabilistic polynomial-time simulator can generate using rewindable black- 
box access to the verifier. Such ZK proof protocols can be found in [15,13]. For 
our efficient instantiation, we prefer the Cramer-Damgard-Mackenzie (CDM) ap- 
proach, in which a prover P proves knowledge of a witness w for x to verifier V 
using SHVZK 17-protocols in both directions, roughly as follows: 

— Part 1: V commits to a value e and proves knowledge of e; 

— Part 2: P gives a witness-indistinguishable proof of knowledge of either the 
verifier’s value e or the witness w. 

When applied to SHVZK 3-round proofs of knowledge, this approach yields 
a zero-knowledge proof of knowledge (ZKPoK) with negligible knowledge error, 
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neglible soundness error, and which remains perfect zero- knowledge even against 
malicious adversaries. Specifically, there exists a simulator S v that, given ac- 
cess to an arbitrary verifier V’, outputs a transcript identically distributed to the 
transcript of interactions between the prover and V' . We will use this simulator 
extensively in the reduction algorithm of our DCS scheme’s proof of security. 
Strictly speaking, the SHVZK 3-round proof of knowledge must satisfy an addi- 
tional condition, namely that an associated “commitment relation” also have a 
3-round proof of knowledge. Fortunately, as we will see, this is the case for our 
efficient instantiation, because we can leverage an efficient discrete logarithm 
protocol given by Cramer et al. [13] 

Camenisch-Shoup Verifiable Encryption. We use an adaptation of Camenisch 
and Shoups’s Paillier-based encryption scheme, which allows verifiable encryption 
of discrete logarithms. The scheme relies on the decisional composite residuosity 
assumption (DCRA). Let P, Q be Sophie-Germain primes - i.e., P = 2p + 1 and 
Q = 2q + 1 for primes p, q. Let N = PQ. The DCRA states, roughly, that it is hard 
to distinguish random elements of Z* N2 from random elements of the subgroup con- 
sisting of all V-th powers of elements in Z* N2 ■ The original DCRA introduced by [22] 
does not require the use of Sophie-Germain primes, though they are required by [6] 
and by us for technical reasons. As pointed by [6] , it is clear that as long as Sophie- 
Germain primes are sufficiently dense in the set of primes (as is believed to be true) , 
then the DCRA without the Sophie-Germain restriction implies the DCRA with 
the Sophie-Germain restriction. 

We give a sketch of the encryption scheme; details can be found in [6]. 
The user creates a composite modulus N = PQ as above. The user’s pub- 
lic key includes a collision-resistant hash function H, h = 1 + N, a random 
g' £ (Z/AT 2 Z)*, and values g = g ,2N , yi = g Xl , y 2 = g X2 , and y 3 = g X3 for 
secrets xi,x 2 ,x 3 £ [V 2 /4]. 

To encrypt r with a “label” L e {0, 1}*, the sender chooses t £r [jV/4] and 
computes (u,e,v) with u = g*, e = y\h r , and v = abs((t/2y3^ u ’ e,I, V)> where 
abs(a) = N 2 — a mod V 2 if a > N 2 / 2 else abs(a) = a mod N 2 . The ciphertext is 
( u , e, v,L). A user with the private key can decrypt (u, e, v, L) as follows. First, 
it checks that abs(u) = v and u 2 ( x 2 +H(u,e,L)x 3 ) _ ^2 jf j j ie c h ec k fails, the user 
outputs T and halts. Otherwise, it computes f = ( e/u Xl ) 2k for k = 2 -1 mod N. 

If f is of the form h r for some r £ [V], it outputs r; otherwise, it outputs _L. 

To obtain a verifiable encryption scheme from the basic encryption scheme 
above, one uses an additional composite modulus N 2 = P 2 Q 2 , where P 2 = 
2p 2 + 1 and Q 2 = 2q 2 + 1 are safe primes, along with elements g 2 ,h 2 £ Z* N2 of 
order p 2 q 2 . Optionally, one may use a third group - e.g., a group T of prime 
order p with generators 7 and 5 for which the discrete logarithm problem is not 
known to be vulnerable to subexponential attacks - to improve efficiency. We 
view (N 2 ,g 2 ,h 2 ,r,^,§) as a common reference string. We require N 2 ^ N and 
|r| < N 2~ k ~ k ~ 3 for security parameters k and k' as described in [6]. 

Now, suppose that a = 7” for r £ [p\. then, r can be verifiably encrypted 
as follows. The sender computes (u,e,v) as before, generates s £r [jV 2 /4], sets 
t = g^h^, and then provides the following ZKPoK: 
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PK{(t, r, s):u 2 = g 2t A e 2 = yfh^ A u 2 = (rf ( “^) 2t (1) 

A a = Y At = g^h s 2 Ar e [p]} . (2) 

The verifiability aspect of the encryption scheme relies on the strong RSA as- 
sumption - namely that, given N 2 and z 6 Z^ 2 , it is hard to find x 6 Z^ 2 and 
e > 2 such that x e = z mod N 2 . One could alternatively avoid using the third 
group r by setting requiring N? < N2~ k ~ k _3 , setting a = g%, and prove the 
same equalities as above except those involving t. Notice, however, that if we 
do use the third group, then the last proof simply becomes a group membership 
check. 

3 Model and Definition of Designated Confirmer 
Signatures 

We describe designated confirmer signatures (DCS) following the exposition 
of [17]. The model comprises three parties: a signer S, a verifier V, and a des- 
ignated confirmer C. A designated confirmer signature scheme supports the fol- 
lowing (probabilistic polynomial-time) algorithms: 

- DCGen: takes as input 1 A , and outputs two pairs of keys (SGks, VFks) and 
(Pkc,Skc). The first pair constitutes S’s signing and verification keys, and 
the second consists of C’s public and private keys. For simplicity of exposition 
we denote DCGen as a single algorithm; in an actual implementation, the 
signer and confirmer would generate their key pairs separately, using distinct 
algorithms SGen and CGen, so that C does not learn SGk^ and S does not 
learn Skc- 

- Sign: takes as input a message m and SGk^. It outputs a signature <7 such 
that Verify(m, <r, VFk 5 ) = Accept. 

- Verify: takes as input m, cr, VFk^ and outputs Accept if a is an output of 
Sign(TO,SGks). 

Further, a DCS scheme must support the following protocols: 

- ConfirmedSign^ V ): an interactive protocol between S and V with common 
input (m,VFk 5 ,Pk c ). The output is a pair (6, o') where b e {Accept, T} 
and a' is «S’s designated confirmer signature. For some V, the ConfirmedSign 
protocol must be complete and sound. For completeness, we require that 
there is some S such that for any (valid) signer and confirmer keys, and 
for any message to, the ConfirmedSign protocol outputs a (Accept,^) where 
Verify(TO, Extract(m, cr', Skc, VFk^), VFk 5 ) = Accept. For soundness, we re- 
quire that for all signers S', if the result of running ConfirmedSign results in 
an Accept, then 

Pr[Verify(TO,Extract(TO,CT , ,Sk c ,VFk 5 ),VFk 5 ) s,T] < negl(A). 


In other words, S' cannot convince V that an “un-extractable” designated 
verifier signature is valid. 
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— ReconfirmedSign^ V ): an interactive protocol between S and V with common 
input (m, VFks, Pkc, o') for designated confirmer signature o'. The output is 
b e {Accept, J_}. The completeness and soundness requirements are similar 
to those of Confirmed below. In our scheme, the ReconfirmedSign protocol is 
identical to ConfirmedSign (except that ReconfirmedSign takes o' as input) 
and to the Confirm protocol (except that a signer takes the place of the 
confirmer); so, we omit further discussion of ReconfirmedSign. 

— Extract: takes as input m, o', Skc, VFk$ and returns a string o such that 
Verify(m, o, VFks) outputs Accept if o is an output of Sign(m, SGks), and 
outputs T otherwise. 

— Confirm^, v) : an interactive protocol between C and V with common input 
(m, o', VFks, Pkc). The output is b £ {Accept, _L}. The protocol must be both 
complete and sound. For completeness, we require that there is some C such 
that if Verify(m, Extract(m, o', Sk c , VFk 5 ), VFk 5 ) = Accept then b = Accept. 
For soundness, we require that for all confirmers C if 

Verify(m, Extract(m, o', Skc, VFks), VFks) = _L, 

then Pr[Confirm ( c y){m, o’ , VFk 5 , Pk c ) = Accept] < negl(A). 

— Disavowal^, v) : an interactive protocol between confirmer C and verifier V 

with common input (to, cr / , VFks, Pkc). The output is b .€ {Accept, T}. The 
protocol must be complete and sound. For completeness, we require that 
there is a confirmer C such that if Verify(m, Extract(m, o' . Skc, VFks), VFks) = 
T then Disavowal(c,v) = Accept. For soundness, we require that for all 
confirmers C , if Verify(m, Extract(m, o', Skc, VFks), VFk^) = Accept, then 
Pr[Disavowal(c , VFk^, Pkc) = Accept] < negl(A). 

For the purposes of the security model, we also define 0 utputDCS( 5 V ), a two- 
move stunted version of ConfirmedSign( 5 V ) in which V queries to and S outputs 
a DCS a' on to (without “confirming” its correctness). 

We now state the security requirements of a DCS scheme in detail. 

Definition 1. Below, we assume that the adversary has access to a collec- 
tion O = {ConfirmedSign^ ^), ReconfirmedSign^ Confirm^, .4), Disavow(c,_4), 
Extract(c,^)} of five oracles for: 1) receiving a confirmed signature on an mes- 
sage of its choice (via the ConfirmedSign^ ^) oracle); 2) executing the prover’s 
role in the ReconfirmedSign^ ^) interactive protocol; 3) executing the prover’s 
role in the Confirm^, .4) interactive protocol; 4) executing the prover’s role in the 
Disavow (c,A) interactive protocol; and 5) extracting an ordinary signature from 
a designated confirmer signature. 

1. Security for verifiers. Security for verifiers follows from the soundness 
requirement above - informally, that an adversary must not be able, even if 
the adversary compromises the private keys of S and C, to create a (to, o') 
that will be confirmed (either in ConfirmedSign or Confirm,) even though 
Verify(m, Extract(m, o', Skc, VFks), VFks) = T (“Case 1”), or that will be 
disawowed even though Verify(m, Extract(m, o', Skc, VFks), VFks) = Accept 
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(“Case 2”). Formally, we define the advantage of the adversary Adv foolv („4):= 
Pr[6fooivi = 1 V &f 00 iv 2 = 1 V &f 00 iv 3 = 1], where (&f 00 ivi, &fooiV 2 , &fooiV 3 ) are 
defined by the experiment in Figure 2. For compactness, use “Case 1” and 
“Case 2” to refer to the verification condition that the adversary’s output 
(to, o') must satisfy. We say a scheme is secure for verifiers if Adv foolv (.4) < 
negl(A) for all probabilistic polynomial time algorithms A. 

2. Security for signers. Informally, an adversary should be able to create a 
DCS ( to, Uq ) that is extractable or confirmable (either in ConfirmedSign or 
Confirm,) only ifo' 0 is somehow “equivalent” to a DCS (m, cr() that it received 
in response to a ConfirmedSign query on to. We say ( m,o ' 0 ) and (m,cr() are 
equivalent if ll(m,o' 0 ,u[) = 1 for some specified efficiently computable rela- 
tion R. For example, if DCS signatures are strongly existentially unforgeable, 
it may be appropriate to say R(m, a' 0 , cr() = 1 only when a' 0 = a[. However, R 
need not be that restrictive; it depends on the DCS scheme. In the experiment 
in Figure 2, L s i g is a list that is viewed as containing the (m,a[) associated 
to the ConfirmedSign output, as well as all (to, a') for which R(m, a' , cr^) = 1. 
In the figure, for compactness, we say (e.g.) a' ^ L s j, g rather than the more 
accurate ( m,a ' ) ^ L s i g , since m will be clear from the context. Formally, we 
define A’s advantage Adv' mpiS („4) to be the probability that the experiment 
returns 1. We say a scheme is secure for signers if Ad\z' mpS (A) < negl(A) for 
all probabilistic polynomial time algorithms A. 

3. Transcript Simulatability. The confirmation or disavowal of a designated 
confirmer signature a’ should not be transferable - e.g., the transcript of a 
proof of knowledge in Conlnmcyfim,^ , VFks, Pkc) should not convince V 2 
(^ Vi ) that a' signs to. To ensure that Vi ’s transcript is unconvincing, we 
require that transcripts be simulatable. To model this in the experiment in 
Figure 2, first Ao outputs two messages mo and m\ and some state s, next 
a DCS cr' on one of the messages is output, and then A\, A\ and A 2 play 
a game in which A!i tries to make its output (when the DCS signs mi) look 
indistinguishable from Ai ’s output (when the DCS signs mo); A 2 attempts 
to distinguish whether its input r came from Ai or A!±. In the game, Ai 
gets almost complete access to the oracles O; the only restriction is that 
( to, cr ') £ L ext , where L ext is a list that is viewed as containing each (to^*.<c? §) 
that has been queried by Ai to the Extract oracle, as well all (to(, o[ ) for 
which R(m, a\, a\ ) = 1; otherwise Ai could trivially give A 2 indisputable 
proof that mo was signed - the extraction of a' . On the other hand, we give 
A\ very limited access to O; it can make only q OutputDCS queries, where 
A\ makes at most q ConfirmedSign queries. We give A 2 access to a limited 
set of oracles Ou m - specifically, A 2 cannot make any O query on (too,ct ,/ ) 
if R(mo,a' ,a'') = 1 or on (mi, a'') if R(mi,cr' ,a'') = 1; otherwise, its dis- 
tinguishing task becomes trivial. If A 2 has negligible advantage, this suggests 
that Ai ’s potentially authentic transcript that mo was signed is no more con- 
vincing or informative than A( ’s simulated transcript that (falsely) “proves” 
that mo was signed. In the security proof, A\ will use Ai as a subroutine, 
and will simulate correct responses to Ai ’s O queries on a' and equivalent 
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Exp-NoFoolVerifier : 

1. (SGk,s, VFks, Skc, Pkc) 

2. (m,oi,Ti,T 2 ,T 3 ) 

3. (bfe 

4. boolV2 

5. bfooivs 

6. Return booivi 


Exp-NoImpSigner: 

1. (SGk 5 , VFk 5 , Skc, Pk c ) DCGen(l‘ ) 

2. (m, o') °(n, Sk c ) 

3. bmp 5 Verify(m,0,VFk 5 ) 

for a = Extract(m,o', Skc, VFks) 

4. Return (bmps (o' / L si , )). 


in Case 2 


Exp-TranscriptSimulatability: 

1. (SGk 5 ,VFk 5 ,Skc,Pkc) DCGen(l‘ ) 

2. (mo, mi, s) ?(n,SGk 5 ) 

3. b 1 0, 1 

4. (b,o') ConfirmedSign (<s V) (TT, mi ) 

5. If b = 0, t f(bm 0 ,mi,s, o'); 
else, x ^OutputDcs^ 

6. Return 1 iff b= ° (m 0 ,m 1 ,T,o') 

and o' / L e > t . 


DCGen(l‘ ) 
f(n,SGk s ,Skc) 

_u,Oo) ConfirmedSign ( ^ l( , l5 V) (TI, m) ii 
Confirm(^ 2 (, 2 ) V )(n, m, oj) in Case 1 
Disavowal(^ 3 (, 3 ), V ) (n, m, o() 

boolV2 bool V3 • 


Fig. 2. Experiments for definition of DCS security. Above, TI is shorthand for 
(l 1 , VFks, Pk c ). 


DOS’s. Formally, we define the advantage of the adversary Adv trans („4) to be 
max(0,Pr[experiment returns 1] — 1/2}. 

In our model, we allow that a' may convince verifier V 2 above that the signer 
indeed signed some message to. In this sense, the transcript is not perfectly sim- 
ulatable; only the ZK proofs are. Accordingly, in the security model, A\ needs 
access to ConfirmedSign; without some DOS’s generated by S, A\ has no hope 
in our scheme of making its output indistinguishable from Ai (which has almost 
unrestricted access to O). Thus, our model is weaker than that in [21]. However, 
we believe that our model, especially given our very efficient instantiation, is 
suitable for real-world settings, where it would be easy (e.g.) for the confirmer 
to publish a few “dummy” signatures by the signer during each time period to 
camouflage the presence or absence of a “real” (meaningful) signature. Again, we 
are inspired here by the discussion of Goldwasser and Waisbard [17], which em- 
phasizes capturing only the “non-verifiability” of a DCS, although our definition 
differs from theirs. 

How the Model Prevents Confirmer Impersonation. Of course, for a 
DCS scheme to be secure, it should be infeasible for an adversary A (even if 
it has SGks) to impersonate the confirmer by performing an Extract, Confirm, 
Disavowal, or ConfirmedSign associated to a pair (m, a') contained in L sig \ 
L ext . Interestingly, this requirement is already covered by a combination of our 
Exp-NoFoolVerifier and Exp-TranscriptSimulatability experiments. For exam- 
ple, suppose that there is an adversary (Ho, B±, 82 ) that “breaks” Confirm in that 

- S£V,SGk 5 ), (a",r') <- BfW), Confirm^, )iV) (tt ,m' 0 ,a") = 

Accept for (m' 0 ,a") e L sig \ L ext with non-negligible probability, where (s', r') 
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is state information that is forwarded, and where B\ makes only a polyno- 
mial number q of O queries. Then, (Aq. Ai . Az) can use (Bo, B\ , £> 2 ) to break 
Exp-TranscriptSimulatability with non-negligible probability, as follows. Ao runs 
Bo, relays Bo’s O queries and the responses, sets mo = m' 0 and outputs (mo, mi). 
If b = 0 in Exp-TranscriptSimulatability, Ai runs B\ and relays Bfs O queries 
and the responses, except that it responds to one of Si’s ConfirmedSign queries 
on mo by using a ReconfirmedSign query on (mo, a'). B\ outputs (a" , t') and 
A[ sets r = r': a" is equivalent to o' with probability at least l/q. Finally, 
if a" is equivalent to o', A 2 runs Confirm(g 2 ( T ) V )(7T, mo, a"). If the output is 
Accept, A 2 outputs ‘O’; otherwise, it outputs a random bit. Since the output is 
Accept with non-negligible probability, and since an output of Accept implies 
Verify(m / , Extract(m / , a', Skc, VFks), VFks) = Accept with overwhelming proba- 
bility assuming Adv foolv (* 4 ) < negl(A), *4-2 ’s advantage is non-negligible. 

Using the approach above, one can show that, for any (m' Q ,m\) adaptively 
chosen by Bo, Bi has a negligible probability of outputing a DCS o" on m' 0 
that B2 can disavow on m\ . However, for the special case of Disavowal, one may 
want to require something stronger: that for any m' 0 adaptively chosen by Bo, 
Bi has a negligible probability of outputing an m\ and a DCS o" on m' 0 that 
B2 can disavow on rn\ . Our scheme satisfies this requirement, but it may not be 
necessary in general. If the message space is super-polynomial, and if a verifier 
V could merely check that m[ was generate randomly and independently of 
(m' 0 ,<j"), it would already believe that the probability that a" is a DCS on m! 1 
is negligible. Thus, it does not seem unreasonable to allow that (81,82) may be 
able to disavow some message with respect to a DCS a" in L sig \ L ext on m' 0 . It 
is an open question whether a more efficient DCS exists that meets the weaker 
requirement. 

4 Our Transformation 

The Generic Construction. We first describe a generic scheme that trans- 
forms any traditional signature scheme into a DCS scheme; the transforma- 
tion also requires an IND-CCA2 secure encryption scheme and a statistically- 
hiding computationally-binding commitment scheme C. The scheme also uses 
zero knowledge proofs secure against cheating verifiers, as discussed in Section 
2. After describing our scheme generically, we provide an efficient instantiation. 

- DCGen: S uses a secure digital signature scheme DSS = (SGen, Sign, Verify), 
and creates a key pair (VFks, SGks) <— SGen(l A ). C uses an IND-CCA-2 en- 
cryption scheme PKE = (CGen, Enc, Dec), and creates key pair (Pkc, Skc) <— 
Gen(l A ). Note that C need not participate in any setup other than creating 
and publishing a key pair. 

— Sign: To sign a message m with auxiliary information c, S creates a statis- 
tically hiding and computationally binding commitment ip = C(m, r) to the 
message m using randomness r and creates 0* = Sign((»/j, c, VFk^), SGk^). 
The basic signature is 0 = (a*,c,r). S’s verification key VFks is signed 



674 C. Gentry, D. Molnar, and Z. Ramzan 


together with the commitment to prevent a signature issued by one signer 
from being fed to the Confirm oracle with a different signer’s public key. 

— ConfirmedSign: In addition to the above steps in the Sign procedure, S also 
computes the ciphertext c = Enc(Pkc, r). The designated confirmer signature 
is a' = (a * , r/>, c) for a* = Sign ((■(/>, c, VFks), SGks). The signer also performs 
a ZK proof of knowledge of a value r such that ip = C(m,r) and c = 
Enc(Pkc, r). 

— Confirm: C first checks that (ip, c , VFks) has been signed with SGks using the 
provided VFks, and aborts if the check fails. Then, C performs a ZK proof 
of knowledge of a value r such ip = C(m, r). 

— Disavow: To disavow a purported signature a' = (a*, ip, c ) on message to, C 
does the following. C first checks if c is a valid encryption of some r. If not, 
it performs a ZK proof of knowledge that the string is not a well-formed 
encryption. Otherwise, C computes r' = Dec(Skc, c). If r ip ^ C(m, r'), then C 
provides a ZKPoK of a value p such that ip C(m,p) and p = Dec(Skc, c). 

— Extract: On input <r' = ( a* , ip, c ) and to, C computes r' = Dec(Ske, c) and 
confirms that ip = C(m,r') and cr* = Sign((-0, c, VFks), SGks). If so, it 
outputs r'; else, it outputs _L. 

Notice that all the statements involving zero-knowledge proofs can be expressed 
as NP statements (and have a short witness). Therefore, we can, in theory, 
instantiate the above scheme in polynomial time for any suitably secure encryp- 
tion scheme, commitment scheme, and signature scheme. Of course using generic 
zero-knowledge proofs for NP-statements is not very practical. Therefore, we now 
describe how to instantiate the encryption and commitment schemes so that the 
resulting zero- knowledge proofs of knowledge are simple and efficient. 

Efficient Instantiation for Any Signature Scheme. We show how to 
efficiently instantiate the above scheme. The underlying encryption scheme PKE 
is the scheme by Camenisch and Shoup discussed in Section 2. The commit- 
ment scheme C(m, r ) will be a Pedersen-type commitment scheme over group 
r of prime order p, with generators 7 and S, as described in Section 2. We can 
use any secure signature scheme. Then, our confirm and disavow protocols use 
the CDM ZK proofs as described in Section 2. With these choices, the under- 
lying zero-knowledge proofs are efficient (using the CDM techniques for prov- 
ing equality and inequality of discrete logarithms together with the Camenisch- 
Shoup verifiable encryption of the randomness used for the Pedersen commit- 
ment). Moreover, we can plug in any secure signature scheme and the com- 
plexity of the Confirm, Disavow, and Extract are essentially independent of this 
choice. 

Security Analysis. We now state a theorem that our generic transformation 
yields a secure designated confirmer signature scheme. We require that the sig- 
nature schemes be existentially unforgeable under chosen message attack, that 
our commitment schemes be hiding and binding, and the encryption scheme be 
secure against chosen ciphertext attack. The security for our efficient Paillier- 
based instantiation follows. 
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Theorem 1. Let DSS = (SGen, Sign, Verify) be any signature scheme existen- 
tially unforgeable against chosen message attack, and let PKE = (Gen, Enc, Dec) 
be any IND-CCA2 secure encryption scheme and C(M,r) be any statistically - 
hiding computationally-binding commitment scheme with perfect zero-knowledge 
proofs of knowledge for committed values secure against cheating verifiers. Then 
the DCS scheme obtained by our generic conversion is a secure DCS scheme. 
Proof. (Sketch). In this proof, we say that the relation R(m, a', a") equals 1 in 
our scheme if a’ = (a*, -if, c), a" = (a* 1 , ip', c'), and (ip, c ) = (ip', c'); otherwise, 
it equals 0. Also, below, a second algorithm (say, B) will construct the necessary 
zero knowledge proofs in response to to M’s O queries by using a (possibly 
rewinding) simulator. For example, assuming we use the CDM protocol [13] for 
our ZK proofs, B proceeds as follows: upon receiving M’s commitment to its value 
e together with a proof of knowledge of e, B extracts e by using the knowledge 
extractor E together with A. Then B can complete Part 2 of the CDM protocol 
by using its knowledge of e. As Cramer et al. argue, B’s proof in Part 2 is witness 
indistinguishable; so, B’s simulation is sound. 

Now, suppose the theorem is false. Then there exists a probabilistic polyno- 
mial time adversary A that can break the security of the DCS scheme. Specifi- 
cally, at least one of Adv imp5 (M), Adv' mpC (M), Adv foolv (M), or Adv trans (M) is not 
negligible in the security parameter. We consider the resulting cases. 

The Adv' mp5 (M) Case. If Adv' mp5 (M) i s not negligible, then the adversary has 
a non-negligible probability of successfully outputting a DCS (to, o') for which 
Verify(m, Extract(m, o' , Skc, VFks), VFks) = Accept and o' $ L sig . From A, we 
can construct an algorithm B that either constructs an existential forgery of the 
underlying signature scheme, or violates the binding property of the commitment 
scheme as follows. 

The algorithm B generates (Skc, Pkc) and gives (n, Skc) to A. Then B re- 
sponds to M’s ConfirmedSign query on a message m! by choosing a random r' , 
setting ip = C(m',r'), generating an appropriate ciphertext c that encrypts r' , 
and then using its oracle access to Sign to obtain a signature on (ip,c). For 
Confirm, Extract and Disavowal queries, B uses Skc- Suppose that A outputs a 
pair (to, o') with o' = (o*,ip, ) with (to, o') L sig . B uses Skc to perform Extract 
on o', thereby obtaining o = (o*,r,c). If (m', 0 1 ) G L sig for some m' , then B 
must have responded to M’s ConfirmedSign query on to ' by generating a random 
r' for which ip = C(m',r') = C(m,r ); since in' A m , this violates the binding 
property of the commitment scheme. Otherwise, if there is no message m' for 
which (m', o') € L sig , B outputs o as an existential forgery of the signature 
scheme (on the message (ip, c, VFks)). 

The Adv' mpC (M) Case. Suppose that Adv' mpC (M) is not negligible. Then, from 
A, we can construct an algorithm B that breaks the chosen-ciphertext security 
of the underlying encryption scheme. 

The algorithm B runs as follows. It picks two random messages ro and rq 
for the “find” stage of the encryption game, and receives a challenge ciphertext 
Enc(r>j) for a random b. Then B runs A as a subroutine. B responds to M’s Extract 
queries by using its access to the decryption oracle of the encryption scheme. 
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Then B responds to one of A’s q ConfirmedSign queries by flipping a coin b' , 
setting ip = C(m,rb ) and c = Enc(rj,), querying the Sign oracle for a signature 
a* on (ip, c, VFks), and setting o' = (a*, ip, c). To construct a (potentially false) 
“proof’ that the rb embedded in ip is identical to the r>, embedded in c, B uses 
the simulator S A for the ZK proof of knowledge of rb, treating the adversary as a 
cheating verifier. Because the ZK proof of knowledge is complete and because the 
transcripts output by the simulator are identically distributed to the interaction 
between the real prover and the adversary, the adversary will accept the “proof.” 

For other ConfirmedSign queries by A, B acts as follows: B generates a random 
r as in the actual scheme, sets ip = C(m,r) and c = Enc(r), and queries the 
Sign oracle for a signature o* on (ip, c, VFks); it responds with (cr* , ip, c) and the 
appropriate proofs of knowledge. 

B responds to a Confirm or Disavowal query on (a*, ip, c. VFks, to) by deter- 
mining whether <j* is a valid signature on (ip, c , VFks). 

If so, and if B has not queried (ip, c, VFks) to the Sign oracle, B aborts. If 
(ip, c, VFks) has already been signed, then B recovers its log of the action it per- 
formed in the ConfirmedSign query corresponding to (ip, c, VFks): in particular, 
it recovers the values of (r 1 ,m') that it used to generate ip. Then, if rn = m' (and 
Confirm is therefore appropriate), it proves (using a “false” proof via the simula- 
tor, if necessary) that this value of r' is encrypted in c. Analogously, if m ^ rn! 
(and Disavowal is therefore appropriate), B can provide a proof of knowledge of 
an r' such that r' is encrypted in c and C(m,r') ^ ip. 

Eventually, with non-negligible probability, A outputs some (to, a') € L sig \ 
L ext . Let o' = (o*,ip,c). If A performs a successful Confirm, Disavowal or 
ConfirmedSign using (m,o'), B uses A together with the knowledge extractor 
E to extract the value r encrypted in c. Now there are two cases. In the first 
case, c = Enc(r>j) - i.e., the challenge ciphertext for B - with probability neg- 
ligibly close to 1/q. Notice that because the zero-knowledge proof is perfect 
zero-knowledge, the use of the simulator to construct proofs does not affect 
this probability. If c = Enc rb, then B outputs b as its guess; otherwise, B se- 
lects b uniformly at random. In the second case, c A Enc(r>j). In this case, we 
can violate the soundness of the underlying ZKPoK: the execution of Confirm 
or ConfirmedSign on c constitutes an interaction that violates soundness of the 
proof of knowledge. 

The Adv trans Case. We construct A\ by using A\ as a subroutine; later, we 
show that if A 2 can distinguish which output came from A\, this violates the 
IND-CCA2 security of the encryption scheme. 

We construct A! x as follows. To generate r, A\ runs A\ on input (mi,s,o'). 
A[ responds to Ai’s permitted O queries by using its access to O. For Confirm 
queries on (mi, o') (or on (m\ , o( ) for which R(mi,o',o[) = l)and disavowal 
queries on (mo, o') (or equivalent DOS’s), A\ uses the rewinding technique to 
construct the needed (false) ZK proofs. Eventually, A\ outputs a string r': A\ 
outputs t = t' and terminates. Let 1/2 + eo be the probability that A 2 outputs 
b when A\ generates its output in this manner. 



Efficient Designated Confirmer Signatures Without Random Oracles 677 


Now, consider the following modified experiment ModExp, whose only dif- 
ference from the experiment in Figure 2 is that we replace Ai with A”. We 
construct A” as follows. To generate r, A” runs A\ on input (mo, s, o'). A” 
responds to *4i’s permitted O queries by using its access to O. For Confirm 
queries on (mo, cr'j (or equivalent DOS’s) and disavowal queries on (mi, a') (or 
equivalent DOS’s), A'{ uses the simulator to construct the needed ZK proofs. 
Eventually, A\ outputs a string r': A![ outputs r = t' and terminates. Let 
1/2 + ei be the probability that *4-2 outputs b when A![ generates its output in 
this manner. 

The only difference between the two experiments is *4i’s view; in ModExp, 
*4i obtains simulated proofs of true statements in response to its Confirm query 
on (mo, o') and disavowal query on (mi, a'). Thus, if |eo — ei| is non-negligible, 
then *42 distinguishes interactions with the simulator from interactions with the 
true prover, contradicting the zero-knolwedge property of the ZK proofs. 

The only difference between the algorithms A\ and *4" in ModExp is that 
the former simulates a (false) Confirm on (mi , a 7 ), while the latter simulates a 
true Confirm (and similarly for Disavowal queries). Thus, if |ei| is non-negligible, 
an adversary B can use (Ao, Ai . A \ , A”) to break the IND-CCA2 security of 
the encryption scheme. Specifically, B runs (*4o, *4 i , A \ , A”) and obtains the 
messages mo and mi. Then B selects too and mi in the find stage of the IND- 
CCA2 encryption game. Finally, B guesses the bit b. We see that if |ei| is non- 
negligible, then B wins the encryption game with non-negligible probability. 

The Adv foolv (*4) Case. Finally, if Adv foolv (*4) is not negligible, then the adver- 
sary can generate fake valid zero-knowledge proofs with non-negligible probabil- 
ity, violating soundness. 


5 Evaluation 

Our Efficient Instantiation. For our efficient instantiation, Confirm requires 
proving equality of discrete logarithms, specifically proving knowledge of an r 
such that ^- 2 = 7. This can be accomplished using protocols of Chaum and 
Pedersen in four exponentiations. To achieve general-verifier ZK, the techniques 
of Cramer et al. result in a 4-round protocol with 10 total exponentiations [8,13]. 

The Disavow protocol requires proving inequality of discrete logarithms, 
which we do by using the techniques of Camenisch and Shoup [6]. From the 
Preliminaries, the resulting proof consists of five clauses, four of which prove 
statements about discrete logarithms and the final clause shows that a commit- 
ted value r is in a specified range. Because we work over a group with public 
prime order and the range is just the order of the group, the range test reduces 
to a simple group membership test costing one exponentiation. For the other 
four clauses, we can apply the optimized protocol of Cramer et al. to obtain 
general-verifier ZK at the cost of 4 rounds and 10 exponentiations per clause; 
with sequential composition this gives us 16 total rounds and 41 total exponen- 
tiations. We remark that a more efficient protocol appears possible by using the 
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results of Cramer et al. on monotone composition of SHVZK protocols, but this 
result is already better than a generic zero-knowledge proof [13]. 

Comparison to Goldwasser-Waisbard. Both our approach and Goldwasser- 
Waisbard use a weakened definition of designated confirmer signatures which 
requires non- verifiability of unconfirmed signatures. Goldwasser-Waisbard use 
this weakening to explore strong witness hiding proofs of knowledge (WHPOKs) 
for Confirm protocols, and we use this weakening to explore a different way of 
creating designated confirmer signatures [17]. 

While the strong WHPOKs constructed by Goldwasser and Waisbard are 
more efficient than generic zero-knowledge proofs, they still require substantial 
practical overhead. For example, the strong WHPOK described for the case of 
Cramer-Shoup signatures uses a zero- knowledge proof of knowledge (ZKPOK) of 
an i th root as a subroutine. Each such proof of an i th root requires an exponen- 
tiation; with the suggested parameters this uses a 161-bit exponent. Two proofs 
are needed for the WHPOK, which then must be repeated A times to reduce 
the soundness error. As a result, Confirm requires 2 A exponentiations. Further, 
Disavow still requires a generic ZKPOK; Goldwasser and Waisbard note that 
there appears to be no easy way to extend their approach to obtain an effi- 
cient Disavow, since it is not clear what witness is supposed to be “hidden.” 
The efficiency requirements for the strong WHPOK exhibited for the GMR and 
Gennaro-Halevi-Rabin signatures are similar. While Goldwasser and Waisbard 
do exhibit a more efficient WHPOK for the case of RSA signatures, the resulting 
DCS signatures are existentially forgeable. 

Our Confirm, in contrast, requires 10 exponentiations. Further, our Disavow 
protocol is more efficient than the generic ZKPOK used by Goldwasser-Waisbard, 
although less efficient than Confirm. Finally, our protocols are zero-knowledge in- 
stead of witness-hiding. 

The main advantage of Goldwasser-Waisbard is that they have exhibited ef- 
ficient strong WHPOK using the same assumptions as the underlying signature 
scheme. Our approach, in contrast, requires the “extra” composite residuosity 
assumption for the Paillier scheme. We note, however, that for each new sig- 
nature scheme, new effort must be exerted to find efficient strong WHPOK 
without adding new assumptions. Conversely, one could look for protocols in 
our framework that require different assumptions for Confirm and Disavow. For 
example, if one were willing to live with an inefficient Disavow , we could replace 
the Camenisch-Shoup encryption with an arbitrary IND-CCA2 scheme and con- 
struct an efficient Confirm assuming only hardness of discrete logarithms. 

Comparison to Camenisch-Michels. Camenisch and Michels give a generic 
scheme for constructing designated confirmer signatures. They propose a specific 
instantiation with RSA signatures and Cramer-Shoup encryption [4]. Security 
for the underlying RSA signature is achieved by using full-domain hash, so the 
resulting scheme has a proof of security only in the Random Oracle model. Their 
Confirm protocol requires proving 12 statements regarding equalities and proofs 
that committed numbers are in a specific interval, while their Disavow protocol 
has 20 such statements. They note in their Remark 4 that because these proofs 
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involve double discrete logarithms the verifier uses only binary challenges. As a 
result, the proof must be repeated A times for soundness [4]. We optimistically 
estimate that each clause takes 3 exponentiations, leading to a total of 36A 
exponentiations for Confirm and 60A for Disavow. 

Comparison to Camenisch-Shoup. In their paper on verifiable encryption, 
Camenisch and Shoup observe that, following Asokan et al., a designated con- 
firmer Schnorr signature can be created where Confirm requires proving only a 
single equality of discrete logarithms [6,1]. The details are due to appear in a 
forthcoming paper. Because this paper is not yet available, we speculate on the 
details to make a reasonable comparison to our work. Let ( 7 , 7 X ) be a public 
key for a Schnorr signature, where 7 is a generator of a group G and x is the 
secret key. Then a Schnorr signature on m is the triple (/?, c, s), where (3 = Y 
for a random r, c = H(/3,m), and s = r + xc mod p, for p the order of G. The 
DCS Schnorr output is then the 4-tuple (/ 3,c,S , V0> where 6 = 7 s and 'i/> is an 
encryption of s with the confirmer’s public key. Anyone can check that <5 = /? 7 C 
to verify the consistency of the signature. Then the confirmer need only prove 
or disprove that ip = E(log 7 6) to Confirm or Disavow. 

In this special case, the Camenisch-Shoup approach is as efficient as our 
scheme for Confirm and Disavow; indeed, we use their protocols for proving in- 
equality of discrete logarithms. Unfortunately, the Schnorr scheme requires ran- 
dom oracles, so as sketched the approach does not produce a scheme with a proof 
in the standard model. 

If we review the Cramer-Shoup, Goldwasser-Micali-Rivest, and Gennaro- 
Halevi-Rabin signature schemes with proofs of security in the standard model, 
then we see that these schemes do not appear to have the same reduction as 
Schnorr from validity to equality of discrete logarithms. For example, Cramer- 
Shoup requires proving knowledge of an Fth root, which does not translate 
straightforwardly to a statement about equality of discrete logarithms. In con- 
trast, our use of a commitment adds a “layer of indirection” that allows us to 
achieve efficiency for every signature scheme. As a result, we can use any of these 
signature schemes to obtain an efficient designated confirmer signature with a 
proof in the standard model. 

Finally, we note that the Camenisch-Shoup approach requires, as we do, a 
Paillier-type encryption and the associated composite residuosity assumption for 
efficient implementation. Therefore both their approach and ours require pos- 
sibly introducing extra assumptions beyond those of the underlying signature 
scheme. 

6 Conclusion 

We have shown that weakening the definition of designated confirmer signa- 
tures, as suggested by Goldwasser and Waisbard, can yield a big payoff in the 
efficiency of generic designated confirmer signature schemes. By using a com- 
mitment scheme to add a “layer of indirection,” we used the techniques of 
Camenisch and Shoup to exhibit efficient Confirm and Disavow protocols for 
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any underlying signature scheme. Going further, we could look for commitment 
schemes and efficient protocols based on different assumptions. For example, can 
we adapt the techniques of Camenisch and Lysyanskaya [5] to obtain an even 
more efficient instantiation based on bilinear mappings? We could also investi- 
gate the strong witness hiding proofs of knowledge approach of Goldwasser and 
Waisbard with an eye towards weakening the assumptions required for efficient 
instantiation. 
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Abstract. Many variants of Chaum and van Antwerpen’s undeniable 
signatures have been proposed to achieve specific properties desired in 
real-world applications of cryptography. Among them, 
were introduced by Lim and Lee in 1993. Directed signatures differ from 
the well-known confirmer signatures in that the signer has the simultane- 
ous abilities to confirm, deny and individually convert a signature. The 
conversion of these signatures has remained an open problem 
since their introduction in 1993. This paper provides a positive answer 
to this quest by showing a very efficient design for universally convertible 
directed signatures (UCDS) both in terms of computational complexity 
and signature size. Our construction relies on the so-called xyz-trick ap- 
plicable to bilinear map groups. We define proper security notions for 
UCDS schemes and show that our construction is secure in the random 
oracle model, under computational assumptions close to the CDH and 
DDH assumptions. Finally, we introduce and realize universally 

convertible directed signatures where a master tracing key allows to link 
signatures to their direction. 


1 Introduction 

Digital signatures were introduced to identify the source of digital data. In par- 
ticular they are non-repudiable and universally verifiable. For centuries, seals 
and handwritten signatures were attached to documents to indicate the issuer’s 
identity. To determinate the authenticity of this identity, the original scripts 
have to be validated in some sense. In the electronic world, however, the ease 
of recopy and thereby distribution of digital signatures associated to the self- 
authenticating property may pose a serious threat to the signer’s privacy. The 
concept of undeniable signature was first addressed at Crypto’89 by Chaum and 
van Antwerpen [12]. These signatures have the appealing property that a pur- 
ported signature cannot be checked without the cooperation of the signer and 
cannot be denied if the latter has indeed generated the signature. They have 
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found numerous applications in applied cryptography, but the obvious prob- 
lem with this idea is that in any setting where the signer becomes unavailable, 
nothing can be determined. Hence, Boyar, Chaum, Damgard and Pedersen [7] 
proposed convertible undeniable signatures which provide the additional feature 
of converting (individually or universally) the undeniable signatures to ordinary 
signatures. Another approach has produced various flavors of undeniable signa- 
tures which may also be verified by interacting with an entity which has been 
designated by the signer. Directed signatures introduced in 1993 by Lim and 
Lee [21], (designated) confirmer signatures [11], or limited verifier signatures [1] 
are among the best known examples. All of them, which we gather under the 
generic name of delegated undeniable signatures, guarantee to the recipient of a 
signature the ability to verify it, even when the signer cannot (or refuses to) do 
so. Directed signatures find a prominent application in the realization of com- 
plete peer-to-peer secure messaging systems and are a powerful tool to devise 
protocols for contract signing [2] or verifiable signature sharing [15]. They pro- 
pose an individual conversion operation, but up to now none of them provides 
a mechanism for universal conversion 1 . 

From a formal point of view, directed signatures and confirmer signatures 
are quite similar, the only notable difference, apart from the signer’s ability to 
convert signatures, being the real-world applications the authors had in mind. 
In brief, a universally convertible directed signature scheme enjoys the following 
properties. Assuming a signer A and a confirmer B, seen as registered users of 
the system, A produces signatures that only B (and A her/himself) can verify. 
Signatures of that type are called (A, B)-directed signatures. Now both A and 
B have the ability to 

— prove in a non-transferable way the validity or invalidity of an (A, B)-directed 
signature to any other party. 

— convert a given ( A , £?)-directed signature into a regular, universally verifiable 
signature. This operation does not affect other (A, £?)-directed signatures 
and is carried out independently of the signed message. 

— publish a universal trapdoor T by the means of which all (A, 5)-directed 
signatures become universally verifiable. The trapdoor has no impact what- 
soever on (A', -B')-directed signatures for ( A',B ') ^ (A, B). 

These operations are independent and performed concurrently, meaning that A 
and B do not have to interact with each other to achieve either one of these 
operations. 

The literature on confirmer signatures is inconsistent on whether the signer is 
able to confirm and /or deny signatures. In the recent formalization of confirmer sig- 
natures [9,17], in order to protect the signer from a coercer, this ability is delegated 
only to the designated confirmer. However, the signer’s ability to confirm, deny and 
sometimes convert signatures is requested or strongly desirable in many contexts, 

1 The limited verifier signature scheme, introduced in 1999 by Araki [1], provides 
the universal conversion operation. However, this protocol was broken by Zhang and 
Kim [23]. 



684 F. Laguillaumie, P. Paillier, and D. Vergnaud 


and this is supported by a number of schemes ( e.g . [11,12,21]) including directed 
signatures. Again, none of these supports universal conversion of signatures. 

Contributions of the Paper. The main contribution of this paper is an effi- 
cient and secure directed signature scheme featuring for the first time the uni- 
versal conversion property. Our design relies on a simple observation known as 
the xyz- trick [20] which applies to bilinear map groups and allows to realize new 
cryptographic protocols achieving tradeoffs between authenticity and privacy. 

We propose a security model for universally convertible directed signatures 
that captures and extends the strongest notions of unforgeability and signa- 
ture invisibility. We prove that our signatures are existentially unforgeable, in 
the random oracle model, under chosen-message attacks with respect to a new 
computational assumption closely related to the DifRe-Hellman assumption. 

We also show that our signatures are invisible, in the random oracle model, in 
a weak sense assuming the Decisional Tripartite DifRe-Hellman (DTDH) prob- 
lem is intractable, and in a strong sense under a non-standard yet well-defined 
assumption. The scheme supports many variations, and it is easy to achieve 
invisibility under the DTDH assumption. 

In addition to that, we introduce traceable universally convertible directed 
signatures by which a (master) tracing key enables a Tracing Authority (TA) 
to link signatures to their direction i.e. their issuer and confirmer (we also use 
the term receiver). We realize the concept using an efficient variation of our 
basic scheme. We show that the obtained signature scheme inherits the security 
properties of the basic scheme and that the power conferred to the TA by the 
tracing key is computationally limited to the tracing procedure. 

2 Preliminaries 

2.1 Bilinear Group Systems 

Recently, bilinear maps have allowed the opening of a new territory in cryptogra- 
phy, making possible the realization of protocols that were previously unknown 
or impractical. We now recall the definition of bilinear group systems. In the 
sequel, we make use of a bilinear group pair (Gi, G 2 ) for which there is an effi- 
ciently computable isomorphism p from G2 to Gi. 

Definition 1 (Bilinear group system). A bilinear group system is a tu- 
ple (q, Pi, P2,fl , t,Gi,G2,Gt, (•,•}, p) where q is a prime number, Gi,G2,Gt are 
groups of order q with efficiently computable inner laws, (Pi) = Gi, (P 2 ) = G2, 
(gt) = Gt, •) : Gi x G2 — > G t is an efficiently computable map such that for 
all (x,y) € Z 2 , (xPi,j/P 2 ) = (Pi,P 2 ) X2/ holds and (Pi,P2) ^ 1 and p : G2 — * Gi 
is an efficiently computable isomorphism with p(P2) = Pi- 

Definition 2 (Bilinear group system generator). A bilinear group system 
generator is a probabilistic algorithm Setup that takes as input a security param- 
eter k and outputs a bilinear group system (q, Pi, P2, <?t,Gi,G2, Gt, (•,•}, p) <— 
SETUP(fc) such that q is a k-bit prime number. 
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2.2 Computational Problems in Bilinear Group Systems 

Depending on its practical embodiment, a bilinear group system may or may not 
provide an efficiently computable isomorphism from Gi to G2. In particular, p 
may not be efficiently invertible. In this case, there is a computational separation 
between problems defined over Gi and G2. For instance, the Decisional Diffie- 
Hellman problem DDH [G2] on G2 is trivial since {p(xPi),yP2} = {Pi , xyP-i) for 
any x,y € Z* but the same problem defined over Gi may remain somewhat 
intractable. Several new computational problems of various flavors have recently 
been defined over bilinear groups. We now give the definition of the complexity 
assumptions we will be using in this paper. 

Tripartite Diffie-Hellman (TDH): Let (g,Pi,P2, <j( t ,Gi,G2,G t , (•, -),p) be a bilin- 
ear group system. Given group elements (xPi,yPi, ZP2) Gf x G2, compute 
xyzPi € Gi. 

This computational problem is at least as difficult as the computational bilin- 
ear Diffie-Hellman problem [6] . Similarly, Decisional Tripartite Diffie-Hellman is 
defined as the problem of distinguishing the distribution of (co-)Diffie-Hellman 
tuples {{xPi,yPi, zP2,uPi) \ x,y,z <— Z*} from the uniform distribution over 
G 2 x G2 x Gi: 

Decisional Tripartite Diffie-Hellman (DTDH): Let (q, Pi, P2, g t , Gi,G2,G t , (•, ■},p) 
be a bilinear group system. Given group elements {xP\,yP\, zP2,uP{) € G 2 x 
G2 x Gi, decide whether u = xyz (mod q). 

The security of our signatures also relies on the following new computational 
problem: 

Flexible Square Diffie-Hellman (FSDH): Let (q, Pi, P 2 ,5 t ,G 1 , G 2 , G t , (•,•}, p) be a 
bilinear group system. Given XP2 £ G2, output a tuple (Q,xQ,x 2 Q) £ G? for 
some freely chosen Q £ Gi. 

Remark 1. Even though not really considered as classical, the KEA1 assump- 
tion 2 was introduced in 1991 by Damgard [14]. Roughly speaking, KEA1 cap- 
tures the intuition that any algorithm which, given a pair (P, xP) £ G 2 , computes 
a pair ( Q,xQ ) e G 2 must “know” logp 2 Q. It is easily seen that under KEA1, 
the FSDH assumption is equivalent to a co-Diffie-Hellman assumption defined 
over Gi and G2. 

2.3 Designated- Verifier Proofs of Equality of Two Discrete 
Logarithms 

To make our security reductions complete, the executions of the confirm- 
ing/denying protocols have to be simulated in the random oracle model. There- 
fore we rely in the design of our scheme on a procedure allowing to prove in a 
non-transferable way the equality (or the inequality) of two discrete logarithms 

2 This assumption and some variants are formally analyzed in [3] and have been used 
to prove that 3-round protocols were zero-knowledge. 
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without revealing information on their value. We make use of non-interactive 
designated-verifier zero-knowledge proofs [18] of equality of discrete logarithms 
log a (3 = log fl y. The notation is dvpk [x : (3 = a x A y = g x ] , where a and g are 
two elements of same prime order in their respective groups. We use the notation 
dvpk [x : (3 ^ a x A y = g x ] for the dual proof of inequality. Designated-verifier 
proofs form the basis of denying and confirmation protocols in many undeniable 
and confirmer signature schemes in the literature. We refer the reader to [18] for 
further details. 

3 Universally Convertible Directed Signatures 

3.1 Definition 

Given an integer k, a universally convertible directed, signature scheme DS with 
security parameter k is formally defined by the following: 

— generation of public parameters: DS. Setup is a probabilistic algorithm which 
takes as input k and outputs public parameters (which include a description 
of the signature space); 

key generation for signer A and confirmer B : DS. Signer. KeyGen is a proba- 
bilistic algorithm which takes as input the public parameters and outputs a 
signing key pair ( pkA , sAu). DS. Confirmer. KeyGen is a probabilistic algorithm 
which takes as input the public parameters and outputs a confirmer key pair 
C pk B ,sk B ); 

— key-registration: DS. Register is a protocol between a user and a “Key Regis- 
tration Authority” which takes as input the public parameters and the user’s 
public key pk, and outputs a pair (pk, notif) where notif £ {accept, reject} 
is the registration authorization decision. The fact that a given public key 
has been properly registered with the authority, is guaranteed by a signature 
of it by the authority. 

— signature generation: DS.Sign is a probabilistic algorithm which takes as 
input a bitstring m £ {0, 1}*, the signer’s private key sAu, the confirmer’s 
public key pks and the public parameters. The output bitstring <r is called 
an (A, B)- directed signature on m; 

signature verification by confirmer B (resp. signer A)\ DS. Confirmer. Verify 

(resp. DS. Signer. Verify) is a deterministic algorithm which takes as input two 
bitstrings m and a, the signer’s public key pk a , the confirmer’s private key 
sks (resp. the signer’s private key skA, the confirmer’s public key pks) 
and the public parameters and checks whether it is a valid (A, Redirected 
signature on to; 

confirming/denying protocols with confirmer B (resp. signer A): 

DS. Confirmer. {Confirm, Deny} (resp. DS.Signer.{Confirm, Deny}) are protocols 
between a confirmer (resp. a signer) and a third party which takes as input 
two bitstrings to and o, the signer’s public key pkA, the confirmer’s private 
key sks (resp. the signer’s private key sAu, the confirmer’s public key pks) 
and the public parameters. The output is a non-transferable proof that o is 
a valid or an invalid (A, Redirected signature on to; 
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individual conversion by confirmer B (resp. signer A): DS. Confirmer. Convert 
(resp. DS.Signer.Convert) is a deterministic algorithm which takes as input a 
bitstring cr, the signer’s public key pk a, the confirmer’s private key skn (resp. 
the signer’s private key s&u , the confirmer’s public key pk n ) and the public 
parameters, and outputs a bitstring ub called a B-converted signature (resp. 
a a called an A-converted signature)-, 

- verification of a B-(resp. A-)converted signature: DS.User.VerifyConfirmer 
(resp. DS.User.VerifySigner) is a deterministic algorithm which takes as input 
two bitstrings to and an (resp. a a), the signer’s public key pkA , the con- 
firmer’s public key pkn and the public parameters and checks whether a n 
(resp. a a) is a valid B-converted (resp. A-converted) signature on to; 
generation of a universal trapdoor by confirmer B (resp. signer A): 
DS. Confirmer. Trapdoor (resp. DS. Signer. Trapdoor) is a deterministic algorithm 
which takes as input the signer’s public key pkA, the confirmer’s private key 
sks (resp. the signer’s private key skA, the confirmer’s public key pkn), the 
public parameters and outputs a universal trapdoor Ta,b which makes it 
possible to universally verify all (A, B)-directed signatures; 

— universal signature verification: DS. User. Verify, is a deterministic algorithm 
which takes as input three bitstrings to, a and T, the signer’s public key 
pkA, the confirmer’s public key pkn and the public parameters, and tells 
whether cr is a valid (A, B)-directed signature on to. 

Moreover, a universally convertible directed signature scheme must satisfy the 
following (informally defined, precisely detailed in the next section) properties: 

1 . correctness: properly formed (A, B)-directed, A-converted and B-converted 
signatures must be accepted by the verification algorithms; 

2. unforgeability: it is computationally infeasible, without the knowledge of the 
signer’s private key, to produce a directed signature that is accepted by the 
verification algorithms or by the confirming protocols; 

3. completeness and soundness: the verification protocols are complete and 
sound, where completeness means that valid (invalid) signatures can always 
be proven valid (invalid) and soundness means that no valid (invalid) signa- 
ture can be proven invalid (valid). 

4. invisibility: given a message to and a purported (A, B)-directed signature a 
on to, it is computationally infeasible, without the knowledge of the con- 
firmer’s or the signer’s private key, to ascertain that cr is a valid (A, B)- 
directed signature of to. 

5. non-transferability: a user participating in an execution of the confirm- 
ing/denying protocols does not obtain information that could be used to 
convince a third party about the validity /invalidity of a signature. 

3.2 Security Notions for Universally Convertible Directed 
Signatures 

Unforgeability against adaptive chosen message attacks. The de facto 
standard notion of security for digital signatures was formalized by Goldwasser, 
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Micali and Rivest [16] as existential unforgeability under adaptive chosen 
message attacks (EF-CMA). For universally convertible directed signatures, 
the unforgeability security is defined along the same lines, with the notable 
difference that the adversary can be any of the confirmers chosen by the signer. 
Therefore, in the attack scenario, the forger A is allowed to request signatures 
directed to any registered user of her choice (whose secret key might be known 
to her). Besides, signer individual/universal conversion algorithms might also 
leak information to the adversary. We therefore suppose that the adversary 
knows the confirmers’ private keys, the associated signer-generated universal 
trapdoors, and we allow her to request the individual conversion of any signature 
of her choice. As usual, the forger has the natural restriction that the returned 
forgery (including a message, a directed signature and a confirmer’s identity) 
has not been returned by the signing oracle during the game. 

Invisibility of signatures. The strongest security notion for undeniable and 
confirmer signatures is the one of invisibility introduced by Chaum, van Heijst 
and Pfitzmann in [13]. We precisely define the notion of signature invisibility 
under adaptive chosen message attacks in our context, introducing two flavors 
of invisibility, weak-Inv-CMA and Inv-CMA. 

We consider an adversary A that runs in two stages: in the find stage, A 
takes as input the public keys pk,A and pk* n , and outputs a message to* together 
with some state information I*. In the guess stage, A gets as input X* and a 
challenge signature a* either formed by signing the message to* or chosen at 
random in the signature space. Then A returns her guess as to whether a* is a 
valid (A, Redirected signature on m* or not. 

In the weak-Inv-CMA-model, the adversary has access in both stages to the 
signing oracle Sign and to the confirming/denying oracle Confirm and Deny. In 
the Inv-CMA-model, A is also given access to the individual conversion oracle 
Convert, and to the universal trapdoor generation oracle Trapdoor. In both 
cases, she is allowed to invoke these oracles on any message and any confirmer 
of her choice with the restriction of not sending (to* , <t* ,pk* B ) to the oracles 
Confirm, Deny and Convert in the second stage and not sending pk B to the 
oracle Trapdoor at any stage. 

Let t S N N , q = (®ign,?Confirin>3Deny,9Conv ! A'Trap,9Reg) € [N N ] 6 and £ G 
[0, 1] N . An algorithm A is a (fe, f, q, e)- forger ( resp . a (fc, t. q, £)-distinguisher) 
against DS if for all integer k, it runs in time at most t(k), makes at most 

qsign(k),qconfirin(k),qT>eny(k),qcon V (k),q r Tr a .p(k),qR eg (k) queries to the given or- 
acles, and has forgery success (resp. distinguishing advantage) > e(k) against 
DS with security parameter k. 

4 Efficient Universally Convertible Directed Signatures 

We now describe our first universally convertible directed signature scheme which 
for readability is denoted again by DS. 
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Generation of public parameters 

DS. Setup: Given a security parameter k, the public parameters are 
(q, P\, P 2 ,g t ,Gi,G 2 ,G t , (■,■), p) Setup(A;) as well as a hash function H map- 
ping arbitrary bit strings to Z*. 

Key generation 

DS. Signer. KeyGen: Signer A picks random Xi,X 2 <— Z* and computes X\ = X\P\ 
and X 2 = x 2 P 2 . A’s public key is (Xi, X 2 ) sGiX G 2 . A’s private key is (x\, x 2 ). 
DS. Confirmer. KeyGen: Confirmer B picks a random y <— Z* and computes Y = 
y Pi . B’s public key is Y £ Gi. B’s private key is y. 

DS. {Signer, Confirmer}. Register: A confirmer public key pks = Y = yP\ is reg- 
istered by letting B prove (possibly non interactively) the knowledge of y to 
the registration authority by engaging in DVPK [y : Y = yP\}. Similarly, a user 
registers his signing public key p&u = (Xi,X 2 ) = (xi P \ , x 2 P 2 ) by proving in 
zero- knowledge her/his knowledge of x\ and x 2 . The fact that a given public key 
has been properly registered with the authority, is guaranteed by a signature of 
the it by the authority. 

Signature generation 

DS.Sign: Given a message m £ {0, 1}* and the public key Y of a confirmer, 
A picks a random r <— Z*, and computes U = rP 2 and V = (rx i)(a: 2 + 
H(m, U, y)) -1 F. In case x 2 + H(m,U,Y) = 0 (mod q), A restarts the sign- 
ing procedure with a new value for r. The signature is a = (U,V). 

Verification by confirmer/signer 

DS. Confirmer. Verify: Given a message m £ {0, 1}* and a signature a = (U,V), B 
checks whether a e G 2 x Gi and <V, AT 2 + if (to, U, Y)P 2 ) = {X u U)v. 

DS. Signer. Verify: Given a message to € {0,1}* and a signature cr = (U,V), A 
checks whether a e G 2 x Gi and <V, X 2 + H(m, U, Y)P 2 ) = (Y, U) X K 

Confirmation and disavowal protocols 

DS. Signer. {Confirm, Deny}: Given a message to £ {0,1}* and a signature u = 
(U. V), A proves to any third party that 

dvpk [x\ : {V, X 2 + H(m, U, Y)P 2 ) = (Y, U) Xl Al 1 = x^] 
or dvpk [an : {V, X 2 + H(m, U, Y)P 2 ) ± (Y, U) x 1 A X x = x^] . 

DS. Confirmer. {Confirm, Deny}: Given a message to £ {0, 1}* and a signature a = 
( U , V), B proves to any third party that 


DVPK [y : (V, X 2 + H(m, U, Y)P 2 ) = ( X u U)v A Y = yP x ] 
dvpk [y : {V, X 2 + H(m, U, Y)P 2 ) ^ {X u U) y A Y = yPj] . 
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Individual conversion and verification algorithms 

DS. Signer. Con vert: Given a purported (A, B)-directed signature o = (U,V), A 
computes W = x\U £ G2 and outputs a a = (U, V, W) e G2 x Gi x G2 as an 
A-converted signature on m. 

DS.User.VerifySigner: Given a message m £ {0,1}* and a converted signa- 
ture a a = (U,V,W), any user checks whether (Xi,U) = { P\,W ) and 
(V, X 2 + H(m, U, Y)P 2 ) = {Y, W). 

DS. Confirmer. Convert: Given a purported (A, B)-directed signature a = (U,V), 
B computes W = yU £ G2 and outputs as — ( U,V,W ) £ G2 x Gi x G2 as a 
B-converted signature on to. 

DS.User.VerifyConfirmer: Given a message m £ {0,1}* and a converted sig- 
nature as = ( U,V,W ), any user checks whether ( Y,U ) = ( Pi,W ) and 
(V,X 2 + H(m,U,Y)P 2 ) = {X 1 ,W). 

Universal trapdoor generation and verification algorithms 

DS. {Signer, Confirmer}. Trapdoor: A or B computes T = yX\ = x{Y = X\yP\ and 
makes T public. 

DS. User. Verify: Given a message to £ {0,1}* and a signature a = (U,V), any 
user uses the trapdoor T to check whether ( V , X 2 + H(m, U, Y)P 2 } = (T, U). 

The correctness of DS is obvious, and the completeness and soundness of all 
protocols are classical results [10]. We now discuss a few facts about our scheme. 

Efficiency. An (A, B)-directed signature a is a pair of elements in G2 x Gi, 
being in that comparable to Boneh and Boyen’s recent signature scheme [5]. 
Signature generation requires an inversion modulo q followed by one exponen- 
tiation in Gi and one exponentiation in G2. Therefore no pairing is required. 
Signature verification by the confirmer is a bit more demanding as a couple of 
pairings have to be computed. We note that conversion procedures, as well as 
the generation of a universal trapdoor require a single exponentiation in Gi or 
G2 and are therefore pairing-free. 

Verifiability Properties. We note that our scheme is fully verifiable in the 
sense that all private operations are independently verifiable by third parties. 
These properties are desirable even though not requested in our definitions. If 
our system serves as a basic primitive in a cryptographic protocol typically, full 
verifiability may allow early detection of cheating behaviors and localization of 
malicious parties. 

Security. We note first that the property of non-transferability is fulfilled by 
our scheme as a direct consequence of the use of designated-verifier proofs in 
confirmation/disavowal protocols. Further, we state that our scheme resists exis- 
tential forgeries and that signatures are invisible. Both security reductions stand 
in the random oracle model. 

Theorem 1 (Unforgeability of DS). Let t,qn £ N N , q = 
(9Sign,5Confirm,9Deny,9Conv,5Trap,5Reg) € [N N ] 6 and £ £ [0, 1] N . Assume 
there exists a ( k,t,q,e)-forger A against DS, in the random oracle model. 
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Further assume that A is limited to qn executions of H. Then there is an 
algorithm that solves the FSDH problem in the bilinear group system generator 
Setup with probability s'(k) > 1 — l/2 fc within time 


( QH T (/Confirm T (/Deny ~ (/Convert T 2) 


(Ikll +Qh) -Pi, 


where p\ is a explicit polynomial and ||q|| = gsign + (/Confirm + (/Deny + (/Conv + 
(/Trap + (/Reg* 


Proof. The proof relies on the Forking Lemma [22] and is in spirit rather simi- 
lar to the security proof of known discrete-log-based signature schemes such as 
Schnorr. Assume A is a forger that (k, t, q, e)-breaks DS. Here, qn stands for the 
number of queries submitted by A to H since H is viewed as a random oracle. We 
construct a reduction algorithm B that, by interacting with A, solves the FSDH 
problem with time bound and success probability as claimed in Theorem 1. 
Algorithm B is given bilinear map parameters (q, P\, P 2 , gt, Gi, G 2 , G t , (*,*}, p) 
generated by Setup(/c) and an instance xP 2 of the FSDH problem. B’s goal is 
to produce a tuple ( Q , xQ, x 2 Q) for some Q £ Gi. B does so by interacting with 
the forger A as follows. First, B picks a random x\ <— Z* and sets X- t = an Pi 
and X '2 = xP ‘2 . The knowledge of x\ in the simulation will be used intensively 
in the simulation of DS. Signer. Confirm and DS.Signer.Deny} 

Find Stage. We define a probabilistic subroutine Bq(w) of B. Given 
an arbitrary input vj, Bq(uj) runs A with random tape w, transmits 
(q, Pi , P 2 , gt , Gi , G2 , Gt p) as public parameters to A, as well as the public 

key pkA = (W , A2). Then Bo(zu) simulates the scheme’s oracles H. DS.Sign, 
DS. Signer. {Confirm, Deny}, DS. Signer. Convert and DS. Signer. Trapdoor as follows. 
Simulation of H. Given m £ {0,1}* and (U,Y) £ G2 x Gi, if H(m,U,Y) is 
defined, output its value. Otherwise, pick a random h Z*, define H(rn, U, Y) = 
h and output h. 

Simulation of DS.Sign. Given to £ {0, 1}* and a confirmer’s public key pk b = 
Y, pick a random r, h Z*. Set V = rx{Y and U = rX 2 + rhP 2. If H(m, U, Y) 
is defined and is ^ h, Bq(w) aborts. Otherwise Bq{vj) defines H(m,U,Y) = h 
and outputs a = (U, V). 

Simulation of DS. Signer. {Confirm, Deny}. Since Bo(vo) knows 
Xi, Bo(zu) is able to verify any given directed signature and 
consequently, to engage successfully in one of the two proto- 
cols DVPK [*1 : <V, X 2 + H(m, U, Y)P 2 } = {Y, U) Xl Al 1= Xl P x ] or 
DVPK [an : (F, A 2 + H(m, U, Y)P 2 ) ± {Y, U) Xl A A x = an Pi] for any given 
to S {0, 1}*, a = ( U , V) £ G 2 x Gi and Y £ Gi. Note that a simulation of H is 
required in either case. 

Simulation of DS. Signer. Convert. Given a = (U,V), output a a = {U,V,x\U). 
Simulation of DS. Signer. Trapdoor. Given Y £ Gi, output T = x{Y. 

If A returns a forgery ( Y,m,a = (U,V)), Bq(zu) simulates H once again to 
get h = H (to, U, Y) and checks whether {V,X 2 + H(m,U,Y)P 2 ) = { Y,U) X T If 
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the equality holds, and if a does not appear in the transcript of DS.Sign, Bq(zu) 
is said to succeed. 

Algorithm B restarts Bq(vj) for random values of vo <— {0,1}* until Bq(zu) 
succeeds. Let (Y, m, o = ( U , V)) be the last output of A. Then B memorizes zu, 
the index j of ( m,U,Y ) n- h in H’s transcript (sorted in chronological order), 
and the first j outputs of H noted h\,...,hj. If t denotes the index in the 
transcript of DS.Sign of the last signature output before H returns hj, B also 
memorizes l,o\, . . . ,on- 

Replay Stage. As is classical with forking-based reductions, we define a second 
probabilistic subroutine Bi(w) of B which role is essentially to replay the last 
and successful execution of Bq(zu) until the moment when H is about to output 
hj, and then simulate all oracles with fresh random values from that moment 
on. The tape zo being given by the find stage, B\ (zu) runs A with random tape 
w, transmits the same public parameters (q, Pi , p 2 ,gt,Gi , G 2 , Gb, (•,•), p) to A, 
as well as pkA = (W , X 2 ). Then B\ (zu) simulates the oracles as follows, using 
its own random tape n. 

Simulation of H. If the query index is i < j, output hj. Otherwise, simulate 
as in the find stage with fresh random values. 

Simulation of DS.Sign. If the query index is i' < i, output cr, . Otherwise, 
simulate as in the find stage with fresh random values. 

All other oracles are simulated exactly as in the find stage. If A returns a 
forgery ( Y',m',a ' = (U' , V')), B\ (zu) queries its own simulation of H to verify 
cr' the same way Bq(zu) verified cr. If o' is invalid or was output by the simulation 
of DS.Sign or if the index of (m' ,U' ,Y') 1 — > h! in the transcript of H is j' ^ j, 
then Bi(zu) is said to fail. 

Algorithm B restarts B\ (zu) with random values for 7r until B\ (zu) succeeds. 
Let then ( Y ' , m ! , o' = ( U',V ' )) be the last output of A. 

Key Retrieval Stage. We perform a specific stage that allows B to retrieve 
the confirmer private key y' associated to the find-stage forgery (Y' urn', o'), i.e. 
such that Y' = y'I\ . To this end, B replays B\ once with a slightly modified 
random tape tt' « 7r such that replaying the registration stage of Y' by A allows 
to extract y' . As registration is performed via a non- interactive dvpk of a discrete 
log, modifying the ’challenge’ value returned by the internal hash function of the 
protocol yields y' by knowledge extraction 3 . B then stops A and memorizes y' . 

Final Outcome. B disposes of two valid forgeries (Y,m,o = (U, V)) and 
(Y', to', o' = (U ' , V ')). Since (m ! , U' , Y') h' and ( m , U,Y) i-> h have the same 
index in the transcript of H, we must have (ml , U' , Y') = (to, U, Y) by a causal- 
ity argument. In particular, B knows y = y'. B then computes A = xf 1 y~ 1 V 
and A' = xf 1 y~ 1 V' . From the simulation, there exists r € (unknown to 
B) such that A = r(x + h)~ 1 Pi and A' = r(x + h')~ 1 Pi. B poses R = rPi 
and Q = (h! — h)~ x (A — A') = r[(x + h)(x + h')]~ l P\ = [(a: + h)(x + h')]~ 1 R, 
or aborts if h' — h = 0 (mod q). Finally, one has A = (x + h')Q so that 

3 This technique is classical and we therefore do not enter into more details here. 
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A — h'Q = xQ. Since R = ( x + h)(x + h')Q , we get R — (h + h')xQ — hh'Q = x 2 Q 
and 8 outputs (Q, xQ, x 2 Q) to its own challenger. 

Reduction cost. We start with a preliminary observation. The transcript of 
H contains exactly qtot(k) hash definitions, where q to t = qH + (/Sign + (/Confirm + 
(/Deny + 1, since the simulation of H is invoked by the simulation of other oracles 
(the constant term 1 comes from the verification of the forgery). Among these 
hash values, exactly </sign(&) were defined by the simulation of DS.Sign and by 
construction, the j-th hash definition H(m, U, Y ) cannot be one of these. 

Let us denote by Hj the set of vectors (hi , . . . , h qtot ( k )) leading to a forgery 
of index j and Ej = Pr [(hi , . . . , h qtot ( k) ) £ Hj ] , the probability being taken over 
all the values of hi , ... , h qtot ( k ) over Z*. Note that the e/s may depend on A and 
w but in any case V • ej = e(k) must hold. Following our remark above, there 
must be at least qsign(k) values of j for which Ej = 0. We now invoke the 

Lemma 1 (Splitting Lemma [22]). Noting Xj the set of vectors 
(hi , hj- 1 ) such that 

Pr [(hi,..., hj-i, h',..., h' qtot(k) ) eHj\ >|, 

where the probability is taken over hj , .. . . , h' qM ^ <— Z*, one has 

Pr [(hi, ..., hj- 1 ) € Xj | (hi, ..., h qtot{k) ) e Hj] > ^ . 

where the probability is taken over hi , ... , hj - 1 <— Z*. 

We expect the find and key retrieval stages to require at most e(k )~ 1 + 1 
executions of A. Suppose that the transcript of H when Bq(vj) succeeds is 
(hi , . . . , /i gtot (fc>) £ Hj for some j. This event occurs with non-zero probabil- 
ity Ej/s(k) as soon as Ej ^ 0. Further assume that (hi,..., hj-^ £ Xj', the 
probability that this occurs is at least 1/2. Then the expected number of exe- 
cutions of 8i(w) is 2fej. Putting it all together, and taking into account the 
abortion case h! = h (mod q), B succeeds with probability > 1 — l/2 -fc after 

1 , , , £ j 1 < gtot(fe) ~ gSign(fc) + g(fc) 

£(fc) £(fc) 

executions of A, i.e. in time at most [f • (qH + (/Confirm + (/Deny + (/Convert + 2)/e] ( k ) . 
The term (||q|| + qh) Pi comes from the time needed to simulate all oracles. □ 

Remark 2. The simulation of the dvpks imposes the random oracle model and 
we therefore must allow the adversary to query the internal oracles used to 
compute proofs. The simulation cost induced by these queries are included into 
qn- 


We also state that DS is weakly invisible under the assumption that the 
Decisional Tripartite Diffie-Hellman problem is intractable: 
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Theorem 2 (Weak Invisibility of DS). Let t,qn € N N , q = 
((/Sign, (/Confirm, (/Deny, 0,0,QR eg ) £ [N N ] 6 and s € [0, 1] N . Assume there exists 
a ( k,t,q,s)-distinguisher A against DS, in the random oracle model. Then 
there exists an algorithm that solves the DTDH problem in the bilinear group 
system generator Setup with probability s' = s/2 — o(l) within time t' < 
9Reg • t + (||</|| + (/ir) • P 2 , where P 2 is an explicit polynomial. 

Proof. We show that, assuming the hardness of the Decisional Tripartite Diffie- 
Hellman DTDH, DS is weakly invisible under an adaptive chosen-message attack. 
Our reduction is in essence similar to previously known reductions in the stan- 
dard model, and we therefore skip minor details. Note that H needs not be seen 
as a random oracle. The fact that we require the random oracle model only stems 
from the need to simulate zero-knowledge proofs. 

Assume A is an attacker that ( k , t, q, £)-breaks the weak invisibility of DS 
as defined earlier. We construct a reduction algorithm B that, by interacting 
with A, solves a DTDH instance with time bound and advantage as claimed in 
Theorem 2. The outline of the reduction is as follows. Algorithm B is given an 
bilinear group system (q, Pi, P 2 , gt, Gi, G 2 , G t , (•,•), p) generated by SETUP(fc) 
and an instance (aPj , 3Pi ,7P 2 , 6 Pi) £ G( x G2 x Gi. S’ s goal is to decide 
whether 6 = a By (mod q). B does so by interacting with the forger A as follows. 
First, B picks a random x 2 Z* and sets X\ = aPi and A 2 = a; 2 P 2 . Then B 
sends the public parameters to A as well as the signer public key (Xi,X 2 ) and 
the challenge confirmer public key Y* = f3Pi . B attempts to simulate all oracles 
throughout the find stage, as shown later. A then returns a challenge message 
m*. B then picks a random bit b £ {0, 1} and sets U = 7 P 2 . If b = 0, B sets 
h * = H(m*,U,Y) and V = (x 2 + h*)” 1 (APi). If b = 1, B initializes V 4- Gn 
Then B defines a* = (U, V ) and cr* is returned to A as the signature challenge. 
Throughout the guess stage, B simulates the oracles the same way it did in the 
find stage. A finally outputs a guess b' £ {0,1} and B returns 1 to its own 
challenger if b' = b or 0 otherwise. 

When <5 = afPf (mod q), signature simulations will all be correct and the 
advantage of A in guessing b is at least s{k). In the case 5 ^ a by (mod q), the 
signatures output by B are simply invalid and A may then behave arbitrarily. 
Overall, B correctly guesses its own challenge with probability negligibly close 
to s(k)/ 2. 

Key Retrieval for Y 7^ Y*. When Y Y* , A must have registered the public 
key Y = yP\ prior to requesting any signature of type (m, Y), so that B recovers 
y via registration replay as in the proof of unforgeability. This requires to reboot 
and replay A with the same random tape up to the point in executing the dvpk 
when bringing fresh randomness in the ’challenge’ hash value allows to extract 
the discrete log y. Knowing y, B continues the second execution of A until a 
new confirmer key Y' is registered, and so forth. This strategy ensures that 
B can actually recover all the confirmer private keys matching the public keys 
registered by A. The price to pay is a factor gR eg (fc) in the number of times 
A has to be executed. Note that, since we make use of non-interactive dvpk 
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of a discrete logarithm, there is no concurrent interleving of registrations and 
therefore the “reboot and replay” technique applies readily. 

Simulation of Signatures for Y 7^ Y* . Signatures are simulated in the fol- 
lowing way. Given ( m,Y ), B first recovers y = log P Y in its transcript. Then 
B picks a random r <— Z* and sets U = rP% and V = ry(x 2 + h)~ l (aPi), 
where h = H(m,U,Y). B memorizes (a, to, Y. r) in its transcript and returns 
a = (U, V). 

Simulation of Other Operations Involving B ^ B*. As y = log P Y is 

known to B whenever Y ^ Y*, B can individually convert any (A, Redirected 
signature a = (U,V) given by B to A by simply computing W = rX 1 where 
r is the randomness used to construct a. Similarly, B can generate universal 
trapdoors T = yX\. 

Simulation of Confirmation/Denial Protocols. B simulates the DVPK of 
X\ = log Fl X\ (that B does not know) or y = log Pl Y (that B knows from the 
key retrieval stage). This requires to simulate the internal random oracle of dvpk 
in the first case. The proof is then returned to (the user corrupted by) A. 
Simulation of Signatures for Y = Y* . Given m, B picks a random r <— Z*, 
sets U = r( / yP2) and V = where h = H(m,U,Y*). B returns a = 

(U,V). 

Reduction Cost. As discussed above, B’s own challenge is solved with proba- 
bility e'(k) > e(k)/ 2 — Pr [dvpk fails] within time bound gR eg (fc) • t(k) + ||q||(A:) • 
P2(k) where P2 is an explicit polynomiaml and the second term comes from the 
simulations of all oracles. This is as claimed in Theorem 2 . □ 

Invisible Universally Convertible Directed Signatures. We refer the 
reader to Appendix A for a proof that DS is invisible under a non-standard 
complexity assumption referred to as the - Tr i p ar t i t e- D C A A problem. 

Because of its simplicity, however, our scheme admits many variations. A 
possible direction to reach invisibility under a weaker assumption consists in 
replacing the individual conversion algorithms by standard non-interactive zero- 
knowledge (nizk) proofs of knowledge of equality /inequality of discrete loga- 
rithms. The nizk proof is then appended to the directed signature as a replace- 
ment of the third signature part W. It is then possible to obtain invisibility 
under the Decisional Tripartite Difhe-Hellman assumption. The proof is very 
similar to the one of Theorem 2 except that signature conversions are provided 
to the adversary by simulating the corresponding NIZK proofs for signatures is- 
sued by the reduction. The other cases are upper bounded in probability by the 
unforgeability property of our scheme. 

5 Universally Convertible Directed Signatures with 
Traceability 

Directed signatures find a prominent application in the realization of complete 
peer-to-peer secure messaging systems. In such a system, users have a unique key 
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pair {pk = (Xi ,X 2 ),sk = (xi ,x 2 )} where X\ = x\P\,X 2 = x 2 P 2 and x\ plays 
simultaneously the role of a signing and of a confirming key. By misuse of language, 
we sometimes call x\ the anonymity key and x 2 the signing key for reasons that will 
appear clearly in what follows. We view a confirmer more like a regular receiver of 
a signed message and preferably adopt this term in the sequel. In authenticated 
messaging systems, putting a restriction on the ability to verify signatures is of a 
certain interest towards the users’ privacy. The property of invisibility guarantees 
this privacy until one of the two parties wishes to end it. 

There are real-life contexts, however, in which conferring this ability to a 
trusted authority acting in extreme circumstances is desirable. One may think 
of private contract signing for instance, where criminals make use of the system 
to sign illegal contracts that are not publicly verifiable. What is really desired is a 
traceability mechanism 4 enabling a tracing authority (TA) to link upon request 
directed signatures to their direction i.e. the identities of their signer and receiver. 
We now introduce an extension of our scheme that supports signature tracing. 


5.1 Description of the Scheme DST 

Setup and Key generation 

The generation of public parameters and keys in the system is essentially the 
same as above, except that we include Z = zP 2 € into the system public 
parameters. The tracing key is z £ Z*. Moreover, we require users to (securely) 
submit their anonymity keys x\ to the Key Registration Authority (KRA). A 
receipt is returned to the registering user after that, under the form of a nizk 
proof ip(Xi) that the KRA knows x\. 


Signature generation 

Now, given a message to £ {0, 1}* and the public key Y of the receiver, signer 
A picks random r, s <— Z*, and computes U = rP 2 , W = rZ + sP 2 , T = s~ x Y, 
and V = rxi {x 2 + H(m, U, W, T, F)) -1 K. Again, when z 2 + H(m, U, W, T, Y ) = 
0 (mod q), A restarts the signing procedure with new values for r, s. Next, signer 
A computes a nizk proof of consistency n = nizk [(r, s, h, Xi, X 2 ,Y) : 'tp(Xi) A 
V>(K) A (P u W)(il>(Z), U)- 1 =g?AY= sT A (ij)(V),X 2 + hP 2 ) = (ip(Xi),T) rs ]. 
The signature is a = (U, W, T, V, 7 r). 


Other operations 

The verification procedure and the confirming/denying protocols are un- 
changed, except that the non-interactive proof n is verified. Signature conver- 
sions are done the same way i.e. by appending x\U or yU, or a nizk proof of 
knowledge of xi or y to the signature. The generation of trapdoors is unchanged. 
Universal verification requires the additional check that 7T is correct. 


4 In [19], Kiayias, Tsiounis and Yung propose a similar traceability mechanism in the 
context of group signatures. 
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Signature Tracing 

A prerequisite for signature tracing is the recovery of the anonymity key x\ of 
the suspected user. This is done by the Key Registration Authority upon judicial 
request. Now the TA is given a signature a = (U, W, T, V, n) of some message 
m and is asked to decide whether a was issued by the given user and if so, to 
whom the signature was directed. The TA first ascertains that n is correct and 
searches in the public key database a key Y for which (T, W — zU) = (Y, P 2 ). The 
search is always successful, because a proof that Y lies in the set of registered 
keys is included in 7 r and is known to be correct. Now given Y and x \ , the TA 
checks whether (V, X 2 + H(m, U, W, T, Y)P 2 } = (Y, U) Xl . We note that in case of 
mismatch, the TA is left with anonymous material meaning that if the signature 
was issued by some user A' then the identity of A ' is preserved. This property 
is in fact computationally guaranteed, as stated later. 


5.2 Security Analysis 

We state that (A, Redirected signatures are existentially unforgeable and in- 
visible under adaptive chosen-message attack for any user ^ A,B, TA. We rely 
again on the FSDH and the DTDH assumptions in the random oracle model. 

Theorem 3 (Unforgeability and Weak Invisibility). Let t,qH € M N , q = 

(<7Sign, ^Confirm, <7Deny, «Conv, «Trap, «Reg) € [N N ] 6 and, £ € [0, 1] N . 

1. Assume there exists a (k,t,q,e)-forger A against DST, in the random oracle 
model. Further assume that A is limited to qn executions of H. Then there 
is an algorithm that solves the FSDH problem in the bilinear group system 
generator Setup with probability e'{k) > 1 — l/2 fc within time 

f < t ■ {q “ - + e" y + ,c “ v *‘ + - + (Ml + 1«) ■ P3, 

where ps is a explicit polynomial. 

2. Assume there exists a (k,t, (qsign, qconfirin,qT)eny, 0,0,qReg)A)-distinguisher 
A against DST, in the random oracle model. Then there exists an algorithm 
that solves the DTDH problem in the bilinear group system generator Setup 
with probability s' = e/2 — o(l) within time t' < qn eg ■ t + (||q|| + qn) • Pa, 
where pa is an explicit polynomial. 

Proof. The proof is similar to those of the security of the scheme DS and will be 
given in the full version of the paper. □ 

We also state two important properties fulfilled by the tracing mechanism. 
They tell us in essence that beyond traceability, the Tracing Authority has no 
’hidden powers’ over standard users of the system. 

Theorem 4 (Abuse- free Traceability). Signatures issued by user A remain 
invisible to the tracing authority itself as long as the anonymity key x\ of user 
A is undisclosed to the TA. 
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Theorem 5 (Tracing-Proof Unforgeability). After x,\ is disclosed to the 
TA to enable tracing, the tracing authority is still unable to existentially forge 
signatures on behalf of A. 

We argue that these properties come from the computational separation between 
the anonymity key x\ and the signing key a: 2 ■ In fact, after the X \ -part of the 
secret key of a traced user has been revoked, signatures from that user remain 
unforgeable because £2 has not been compromised. The revoked user could even 
be rehabilitated and a new anonymity key generated to replace the revoked one. 
This allows a clear separation of powers invested in users and authorities of the 
system. Due to lack of space, the complete proofs will be given in the full version 
of the paper. 


5.3 Technical Considerations 

Implementation of the nizk proof 7 r. The NIZK proof 7 r is implemented as 
a Fiat-Shamir-transformed conjunction of interactive proofs of the predicates 
forming 7r. We rely on prior art [8] to provide an efficient procedure to generate 
7r in practice. 

Performances. Signature generation requires 2 exponentiations over group Gi 
and 2 over group G 2 , and no pairing. Here too, off-line/online signature gener- 
ation trade-offs are possible by appending a third key part X 3 = X 3 P 2 in the 
user key. Signature conversions and the generation of trapdoors require a single 
exponentiation over G 2 or Gi respectively. All verification algorithms require at 
least two evaluations of the bilinear map. We note that the tracing procedure 
requires O(N) bilinear map evaluations where N is the number of registered 
(non-revoked) users. We leave as an open problem to find similar schemes ad- 
mitting a tracing procedure in polylog complexity in all parameters. 
Extensions. Invisibility under the Decisional Tripartite Diffie-Hellman assump- 
tion is obtained by replacing the individual conversion procedures by standard 
NIZK proofs. All operations within the scheme (signature conversion, trapdoor 
generation) are easily adapted to be verifiable. Among other possible extensions, 
we cite multi-receiver directed signatures. 

6 Conclusion 

We properly defined security notions for directed signatures that support the 
additional property of universal conversion. Using the xyz- trick, we realized the 
first scheme featuring both individual and universal conversion of signatures, 
thereby addressing a problem left open since 1993. The new scheme offers at- 
tractive practical advantages in terms of signature length and performances. In 
comparison with previous works, the computational costs for the signer in the 
signature generation, the confirmation/disavowal protocols and the conversion 
algorithms, are among the smallest of all delegated undeniable signature schemes. 
We have proved the security of our scheme in the random oracle model under 
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computational assumptions closely related to the Diffi e-Hellman and Decision 
Diffie-Hellirian assumptions on bilinear map groups. 

Finally, we introduced traceable directed signatures as a powerful extension 
to allow a Tracing Authority within the system to link signatures to their di- 
rection i.e. issuer and receiver. We believe that our signature schemes are simul- 
taneously efficient and customizable, and we expect to see new cryptographic 
applications of our work in the future. The xyz-tnck will certainly have other 
applications in future works as well. For example, our scheme is easily extended 
to achieve the time-selective conversion property as in [20]. 
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A Invisibility of DS 

The invisibility of DS relies on the difficulty of solving the following l- Tripartite- 
DCAA Problem in connection to the xyz- trick. It is similar to a class of problems 
recently introduced by Laguillaumie and Vergnaud [20] : 

f'-Tripartite-DCAA Problem: Let (q, Pi, p 2 ,<?t,Gi, G 2 ,G t , (■,■), p) be a bilinear 
group system. Given (x\Pi, X 2 P 2 , yPi, ZP 2 , Q, h) (Gi x G 2) 2 x Gi x Z* and 
for some t > 0, 

(h i ,x 1 (x 2 + hi)~ 1 P 1 ,x 1 y(x 2 +h i )~ 1 P 1 ). ellA 6 (Z* x Of) ( 

with h £ {hi, . . . , he}, decide whether Q = x±yz(x 2 + h)~ 1 Pi. 

We state that, assuming the hardness of the A TV i part i t e- D C A A problem and 
that of the Flexible Square Diffie-Hellman problem, the schemes DS and DST 
are invisible under chosen-message attack in the random oracle model. 

Theorem 6 (Invisibility of DS and DST). Let t,qH € N N , q — 

(5Sign,5Confirm,g , Deny,g , Conv,gTrap,gReg) € [N N ] 6 and E € [0, 1] N . Assume there 

exists a {k,t,q,e)-distinguisher A, in the random oracle model, against DS (or 
DST). Then there exists an algorithm B that solves the q s -Tripartite-DCAA prob- 
lem in the bilinear group generator Setup with advantage s' and a ( k , t" , q, e")- 
forger C against DS such that 

z' + ((^Confirm + 5Deny + ^Convert) ■ e" > E 

where B runs in time at most t' = (qneg + 1) ■ t and C runs in time t" = t + 0(1) . 

Proof. Assume A is an Inv-CMA-adversary that (k, t, q, ^-distinguishes the sig- 
natures of DS. As in the unforgeability proof, qh represents the number of queries 
submitted by A to H since H is again viewed as a random oracle. We construct 
two reduction algorithms B and C that interact with A and respectively solve 
the c/.,-Tripartite-DCAA problem and produce an existential forgery with time 
and success probability as claimed in Theorem 6. 
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Algorithm B: Algorithm B is given public parameters 

(q, Pi, P%, gt,Gi,Gz,Gt, (■■ -),p) generated by Setup(/c) and an instance 

\(x 1 P 1 ,x 2 P 2 ,yPi,zP 2 ,Q,h),(h i ,R i = ^-P 1 ,S i =^-P 1 ) ) 

V V x 2 + hi x 2 + hi J ielhqi J 

in (Gi x G 2) 2 x Gi x Z* x (Z* x G 2 ) 9 of the (/g-Tripartite-DCAA problem. B’s 
goal is to decide whether Q = x\yz(x 2 + h)~ l P\ and B proceeds to use forger 
A to do so. B sets X\ = aq T \ , X 2 = x 2 P 2 , Y* = yPi, initializes a counter i = I 
and simulates A’s environment as follows: 

Simulation of H. Same simulation as in the unforgeability proof. 

Simulation of DS. Register. Each time the adversary registers a new public 
key Y = y'Pi, the reduction rewinds A from the beginning without changing 
anything but the challenge in the proof-of-knowledge of the discrete logarithm 
y’ of Y in base P 2 (see the proof of unforgeability). Therefore, we can suppose 
wlog that the reduction knows the secret key of all the users registered by A, at 
the expense of running A at most f/R eg (fc) times. 

Simulation of DS. Signer. {Confirm, Deny}. If the signature has been produced 
by B in the simulation then use the same simulation as in the unforgeability 
proof. Otherwise, simulate a designated- verifier proof of invalidity. 

Simulation of DS.Sign. Given m £ {0, 1}* and a confirmer’s public key Y, 
pick a random r <— Z*. If Y = Y* set U = rP 2 and V = rSi. Otherwise 
Y = y’P\ ± y*, and B sets U = rP 2 and V = ry’Ri. Now if H(m,U,Y) is 
defined and is ^ /i, , the reduction restarts with a new value for r. Otherwise the 
reduction defines H{rn, U, Y) = hi, outputs a = (U, V ) and increments i. 
Simulation of DS. Convert. {Signer, Confirmer}. Given Y £ G, m € {0,1}* and 
a = ( U , V) € G 2 , invoke the simulation of H on (rn, U, Y). If a has been obtained 
by the simulation of DS.Sign then retrieve the randomness r such that U = rP 2 
and output a a = ( U, V, rXi ) or an = ( U,V,rY ). Otherwise, output Invalid. 
Simulation of DS.Signer.Trapdoor. Given Y e G \ {E*}, output T = y'X 1 
where Y * = if P 2 ■ 

In this simulation B simulates perfectly A’s environment unless at some point 
in time A queries a valid signature (U,V) not produced by B to the oracles 
DS. Signer. {Confirm, Deny} or DS. Convert. {Signer, Confirmer}. Let us denote Bad this 
event. We have \e'(k) — e{k) < Pr(Bad) and the running time of B is at most 
t\k) = (5Re g (fc) + 1) • t(k) + 0(1). 

Algorithm C : We claim that there exists an EF- CM A- adversary C which 
(k, t" , q, e")-breaks DS, where t" = t + 0(1) and e" > (^confirm + 5Deny + 
(/Convert) -1 Pr[Bad]. Basically, C runs A and outputs as a forgery one of the sig- 
natures (selected at random) queried by A during the Inv-CMA game, to one of 
the oracles DS.Signer.{Confirm, Deny} or DS. Convert. {Signer, Confirmer} which was 
not obtained by the oracle DS.Sign. 

This directly leads to the above claims for the scheme DS and the proof 
extends readily to the invisibility of the scheme DST. □ 
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